amazon web services – How to create a IAM user with permissions on sub-accounts using roles


I hope can help someone 😉

1- In the root account, create the IAM user.

The permissions in the Sub-account will be managed by the role permissions(policies).

2- In the sub-account, Go to IAM / Role / Create Role
2.1- Select tab "Another AWS Account" and paste the Root AccountID
2.2- Attach any permission that you want
2.3- Once the Role is created, save the Role name and Role ARN.
3-  Go to Roles / Permissions and remove the basic policy that you add previously.
3.1- Click on “Add inline policy” and select the service and permissions that you want to provide (read, write, list, etc.)
You also can set the permissions with JSON.
3.2- Go to Roles / Trusted Relationships Tab, and verify that the Root AccountID appears there.
4- In the Root account go to IAM / Users / user / Permissions and click on "Add inline policy” / JSON Tab
4.1-  Now add the AssumeRole Policy ( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html )
Replace the default ARN with your Role ARN.

Verify If you can switch roles with the user.