I'm contracting for a company that has multiple aws accounts. They gave me access to the Login account and I "Switch Role" in the web console to the Project account I work on. In the web gui it works.
How do I do the same with aws-cli
?? I only have access keys for the Login account and I don’t have permissions to create a user and access keys in the Project account. Is it even possible?
Best Answer
Of course it's possible!
Let's assume you've got your Login account credentials in
~/.aws/credentials
, probably something like this:All you need to do is to add another profile to
~/.aws/credentials
that will use the above profile to switch account to your project account role. You will also need the Project account Role ARN - you can find that in the web console in IAM -> Roles after you switch to the Project account. Let's say the Project account number is 123456789012...With that in place you can test if it works:
As you can see you're now in the Project account as confirmed by the Account id 123456789012.
If you want to always use this profile with
aws-cli
you can do so:For more info check out this post: https://aws.nz/best-practice/cross-account-access-with-aws-cli/
Check also: