EC2 instance with a cross account IAM role


I’ve created a cross account IAM role in one of my accounts(say account A) and would like to attach that role to an ec2 instance in another account(account B).

I tried creating a new role in account B with sts:AssumeRole pointing to the role in A and attached it to an ec2 instance in B. Doesn’t seem to be working.

How can the ec2 instance assume the cross account role in A?


You cannot attach a cross-account IAM role to an EC2 instance directly. And having the sts:AssumeRole permissions does not automatically make the one role assume into the other.


  1. Create your cross-account role in Account A.
  2. Create an IAM role for EC2 instances in Account B. Give this role permissions to execute sts:AssumeRole.
  3. Assign the IAM role from #2 to your EC2 instance.

Then, when you want to access the AWS API from your EC2 instance:

  1. Execute sts:AssumeRole to assume the cross-account role for Account A, to obtain temporary credentials.
  2. Use those temporary credentials to execute the rest of your API methods.

Leave a Reply