In this recipe, we switched roles from our master account to a child account within an AWS Organization without any additional configuration. Then, we granted permission for another non-admin user's group to assume the default role, that is, OrganizationAccountAccessRole, that was created by AWS as part of creating the child account.
Both roles and users are AWS identities with permission policies that specify what they can do. Users have standard credentials such as password or access keys. However, users, groups, applications, or other AWS services can assume a role and will be provided with temporary security credentials for the role session.
Granting permissions to allow access to resources that we control is called delegation. To perform delegation, we need to set up a trust between the account that owns the resource (the trusting account) and the account with users that need access (the trusted account). The trusting and trusted accounts can be the same account or different accounts.
While delegating permission, in addition to the standard permissions policy that grants the user the needed permissions, the IAM role in the trusting account will also have a trust policy defined. The trust policy specifies which accounts are allowed to assume the role. The trust policy is written in JSON format according to the rules of the IAM policy language.
As we saw in the previous recipe, the master account is added as a trusted entity by default when we created the member under our organization. In this recipe, the trusted account (master account) granted further permission for the testusergroup to assume the default role from the member account through a policy. This policy granted the AssumeRole permission of the Security Token Service (STS) service.
In this recipe, we didn't create any role since AWS already created one for us. The create-role CLI command can be used to create a role. The get-role command gathers information about a role, while delete-role can be used to delete a role. update-role can be used to update the description or maximum session duration for the role.