1.4. Create IAM Role


You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts.

Create a role


  1. Sign in to AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane of the console, choose Roles and then choose Create role.
  3. Choose the Another AWS account role type.
  4. For Account ID, type the AWS account ID to which you want to grant access to your resources.
  5. If you are granting permissions to users from an account that you do not control, and the users will assume this role programmatically, then select Require external ID.
  6. If you want to restrict the role to users who sign in with multi-factor authentication (MFA), select Require MFA.

Add New Role

  1. Choose Next: Permissions.
  2. IAM includes a list of the AWS managed and customer managed policies in your account. Select the policy to use for the permissions policy or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see step 4 in the procedure Creating IAM Policies (Console).
  3. (Optional) Set a permissions boundary.

Role Policy

  1. Choose Next: Tags.
  2. (Optional) Add metadata to the role by attaching tags as key–value pairs.
  3. Choose Next: Review.
  4. For Role name, type a name for your role. Role names must be unique within your AWS account. They are not distinguished by case.
  5. (Optional) For Role description, type a description for the new role.

Role Review

  1. Review the role and then choose Create role.