Grant Temporary Access to an IAM User or Group to Another AWS Account

Say you have 2 AWS accounts, 1 for dev & 1 for prod. Now in most cases, devs have no access to prod & that’s how it should be. But when things break in prod, it would help to let the devs take a look in there. But that doesn’t mean that you give devs permanent access to prod. You wanna give them access when required & revoke it right after.

You can use IAM roles & policies to achieve this. Start by creating an IAM role in prod that has all the permissions that the devs would need, when they’re granted access, in the event of a prod outage. The role creation would look like this:

Now that that’s in place, all you have to do when the devs need prod access, is to let the devs IAM group in the dev account assume this role by granting them the sts:AssumeRole permission. When it’s time to revoke their permissions, simply remove this 1 sts:AssumeRole statement from their IAM policy. The process of granting the permission would look something like this:

And that would in-turn add this statement to the dev’s IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/devs-in-prod"
            ]
        }
    ]
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.