A Python CLI tool for managing cross-account access in AWS using IAM roles and temporary credentials.
This tool simplifies working with multiple AWS accounts by automating the process of assuming IAM roles and managing temporary credentials. Instead of manually switching between accounts in the AWS console or copying access keys, you can use simple commands to assume roles and automatically configure your AWS CLI profiles.
- Account Management: Configure and manage multiple AWS accounts in a single JSON file
- Role Assumption: Assume IAM roles across accounts with a single command
- Credential Management: Automatically save temporary credentials to AWS CLI profiles
- Access Logging: Track all role assumption attempts with timestamps and status
- Error Handling: Clear error messages with suggestions for common issues
- Config Validation: Validates account configuration to prevent errors
- Python 3.7 or higher
- AWS CLI configured with base credentials
- At least two AWS accounts (one main account and one or more target accounts)
- IAM roles set up with appropriate trust relationships
- Clone this repository:
git clone https://github.com/joieux/aws-account-manager.git
cd aws-account-manager- Install required dependencies:
pip3 install boto3- Ensure AWS CLI is configured:
aws configureIf you don't already have multiple accounts, create them using AWS Organizations:
- Log into your main AWS account
- Navigate to AWS Organizations
- Click "Create organization"
- Add new accounts using "Add an AWS account" → "Create an AWS account"
In each target account, create an IAM role that your main account can assume:
- Go to IAM → Roles → Create role
- Select "AWS account" as trusted entity
- Enter your main account ID
- Attach appropriate permissions (start with AdministratorAccess for testing)
- Name the role (e.g.,
CrossAccountAdminRole) - Note the role ARN
On first run, the tool creates a default accounts.json file. Edit this file to add your accounts:
{
"accounts": [
{
"name": "main",
"account_id": "123456789012",
"description": "Main AWS Account"
},
{
"name": "dev",
"account_id": "987654321098",
"role_arn": "arn:aws:iam::987654321098:role/CrossAccountAdminRole",
"description": "Development Account"
},
{
"name": "prod",
"account_id": "555555555555",
"role_arn": "arn:aws:iam::555555555555:role/CrossAccountAdminRole",
"description": "Production Account"
}
]
}python3 account_manager.py listOutput:
Configured Accounts:
------------------------------------------------------------
Name: main
Account ID: 123456789012
Description: Main AWS Account
------------------------------------------------------------
Name: dev
Account ID: 987654321098
Description: Development Account
Role ARN: arn:aws:iam::987654321098:role/CrossAccountAdminRole
------------------------------------------------------------
python3 account_manager.py whoamiOutput:
Current AWS Identity:
Account: 123456789012
User/Role ARN: arn:aws:iam::123456789012:user/cli-user
User ID: AIDAXXXXXXXXXXXXXXXXX
python3 account_manager.py assume devOutput:
Assuming role in dev account...
✓ Successfully assumed role!
Session expires at: 2025-10-06 22:04:06+00:00
✓ Created credentials profile: assumed-dev
To use this profile, run:
export AWS_PROFILE=assumed-dev
Or add --profile assumed-dev to your AWS CLI commands
After assuming a role, switch to that profile:
export AWS_PROFILE=assumed-dev
aws s3 lsOr use it for a single command:
aws s3 ls --profile assumed-devunset AWS_PROFILEaws-account-manager/
├── account_manager.py # Main script
├── accounts.json # Account configuration (created on first run)
├── access_log.txt # Access attempt logs (created on first use)
├── README.md # This file
└── requirements.txt # Python dependencies
- Configuration: The tool reads
accounts.jsonto understand which accounts and roles are available - Authentication: Uses your configured AWS CLI credentials to authenticate with the main account
- Role Assumption: Calls the STS
AssumeRoleAPI to get temporary credentials for the target account - Credential Storage: Saves the temporary credentials to
~/.aws/credentialsas a new profile - Logging: Records all access attempts in
access_log.txtfor audit purposes
- Temporary Credentials: All assumed role credentials are temporary and expire (default: 1 hour)
- Audit Trail: The
access_log.txtfile provides a record of all role assumptions - Least Privilege: In production, replace AdministratorAccess with specific permissions needed
- Credential Protection: Never commit your
~/.aws/credentialsfile or access keys to version control - Trust Relationships: Only accounts explicitly listed in the role's trust policy can assume it
Install boto3:
pip3 install boto3Check that:
- The trust relationship in the target account includes your main account ID
- Your user has
sts:AssumeRolepermission - The role ARN in
accounts.jsonis correct
Double-check the account ID in the trust relationship. AWS account IDs must be exactly 12 digits.
Ensure you've exported the profile:
export AWS_PROFILE=assumed-devVerify it worked:
aws sts get-caller-identityPotential features for future versions:
- MFA support for role assumption
- Credential caching to reduce API calls
- Session duration configuration
- List and clean up expired profiles
- Support for external ID in trust relationships
- Integration with AWS SSO
- Automated role creation across accounts
Contributions are welcome! Please feel free to submit a Pull Request.
MIT License - see LICENSE file for details
Built as a learning project to understand AWS IAM, cross-account access, and boto3.
For a detailed walkthrough of building this tool, including challenges and lessons learned, download the full project report (PDF).