It is a common case where you would use roles for user accounts in AWS, assuming a role from one aws account into another. For this example there is an "empty" account in AWS I'll call the Access Account only for individual users to log into. There is zero infrastructure in the account. Then there is, a second account that has infrastructure running, which I will call Prod. For the console access, a user would log into the Access account then assume a role in the Prod account. This is pretty straight forward.
For access_keys, and CLI: My understanding is user would have to have an access_key and secret in the Access account. After doing a small bit of configuration, user can then send commands via the CLI. It will allow the user to run command agaist prod if their Access key matches to a role in prod and that role has the correct permissions I have tested this and it works fine.
The question is, is there a better way to do this? With this method above for access_keys, the user still needs to have a long lived access_key in the Access account. Therefore, the user should still have to be rotating thier Access account access_key periodically.
Is there another way to get a short lived temporary access_key to Prod without needing a long lived access_key in the Access account?
