Cross-Account Role

Prerequisites

Two AWS accounts (source and target)
Terraform >= 1.0
AWS credentials with IAM permissions

Step 1: Define Trust Policy

data "aws_iam_policy_document" "cross_account_assume" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::123456789012:root"]
    }
    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = ["unique-external-id"]
    }
  }
}

Step 2: Create the Role

module "cross_account_role" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/iam-role/aws"
  version = "2.0.0"

  name               = "cross-account-admin"
  assume_role_policy = data.aws_iam_policy_document.cross_account_assume.json

  managed_policy_arns = [
    "arn:aws:iam::aws:policy/ReadOnlyAccess"
  ]

  max_session_duration = 3600
}

Step 3: Assume the Role

From the source account, assume the role:

aws sts assume-role \
  --role-arn "arn:aws:iam::TARGET_ACCOUNT:role/cross-account-admin" \
  --role-session-name "admin-session" \
  --external-id "unique-external-id"

Step 4: Verify Access

Test that the assumed role has the expected permissions in the target account.