Now, we will introduce how to visit the resource of one account from another account.

New terms:

Trusting account： The account who has a resource that another account want to access.

Trusted account: Account who want to access the resource of the trusting account.

Overview:

we will authorize a IAM user of trusted account to access the EC2 instances of trusting account. Therefore, there are two steps we need to finish, including add permission to the IAM user of trusted account and assume role for the IAM user of the trusted account.

1.Add permission

Firstly, login as the trusting account and create a IAM role that can has the full access of EC2 as follow.

Here you should enter the account id of the trusted account. For example, If you want to create a role for another account A to access your resource, then you should enter the account id of A. Then, attach the policy "AmazonEC2FullAccess" to the role because we want the IAM users to access the EC2 of current trusting account.

Then click next step and enter role name, description. There are some steps I don't mention as a screenshot. Just click next step.

There is a url after you create the role in trusting account that you can jump to the switch role directly. It is useful later.

At this moment, we create a role that can access the EC2 of trusting account.

2.Assume Role for IAM users in trusted account.

Login the trusted account who want to access EC2 of trusting account. Then create a policy that has the role created before.

replace the Resource with the ARN of the role created before.

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": "sts:AssumeRole",            "Resource": "ROLE-ARN"        }    ]}

Then you need to name the policy and add a description. I will omit it here.

At this moment, you can attach the policy to the group in which the IAM users need to access the EC2 of trusting account.

Click Attach policies and find the policy you created just now.

After that, all the IAM users in this group has the access of EC2. Let's confirm it.

Login one of the IAM user in the group. As the screenshot shown, "dev1_console" is a user of group "Developers". Here I login it as below and create a EC2 instance.

Firstly, you need to switch to the user that has the authorization then you can create EC2 instance.

You can see my history of switching roles.

Enter the trusting account and the role created in this account. In fact, you  have a url that can switch the role directly. I told you to note down it when you create the role.

After you switch to the role, your active user will change into the role name in the right top as the screenshot.Then you  can click launch instances to create instance. Here I have already created one.

Attention: Choose the free option in the list or you need to pay for it.

At last, login trusting account and check that there is already a EC2 instance.

Congratulations!!!

Feel free to leave a comment. I will answer it sooner or later.