I hope can help someone 😉
1- In the root account, create the IAM user.
The permissions in the Sub-account will be managed by the role permissions(policies).
2- In the sub-account, Go to IAM / Role / Create Role 2.1- Select tab "Another AWS Account" and paste the Root AccountID 2.2- Attach any permission that you want 2.3- Once the Role is created, save the Role name and Role ARN.
3- Go to Roles / Permissions and remove the basic policy that you add previously. 3.1- Click on “Add inline policy” and select the service and permissions that you want to provide (read, write, list, etc.) You also can set the permissions with JSON. 3.2- Go to Roles / Trusted Relationships Tab, and verify that the Root AccountID appears there.
4- In the Root account go to IAM / Users / user / Permissions and click on "Add inline policy” / JSON Tab 4.1- Now add the AssumeRole Policy ( https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html ) Replace the default ARN with your Role ARN.
Verify If you can switch roles with the user.