IAM Policy that allows only access to "Switch Role"



I am looking for a IAM policy with limited access that would allow a user to sign in to the AWS console. From there the user would only be able to press the button to switch to another role. The user should only be able to "Switch Role" and that's it. Not additional access is needed other than Switch Role.

For example:

[Main AWS Console Account] ----> (press the "Switch Role" button and enter AWS Account ID and Role) ----> [In New AWS Console Role]

The idea is to use the main account as to jump onto other accounts but with limited permissions to the main account.

asked 2 years ago1090 views
1 Answer


You can create an IAM user with No permissions to the Main AWS account and assign inline policy to switch role to the Destination account.

Here are the steps:

  1. Create IAM user in Main account

  2. Assign policy to the IAM user in main account

    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::XXXXXXXXX:role/switch-role"
  1. User can acess to main account but denied to acess any services because AWS have explicit deny, So The IAM user can switch to the destination account based on the role permissions configured in the destination.

Thanks GK

profile picture
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions