Skip to main content

Authenticating to the AWS web console

Authenticate to the AWS Web Console in the security account

To authenticate to the security account, you will need:

  1. IAM User Credentials. See setting up initial access for how to create IAM users.
  2. An MFA Token. See Configuring your IAM user.
  3. The login URL. This should be of the format https://<YOUR_ACCOUNT_ID>

Authenticate to the AWS Web Console in all other accounts

To authenticate to any other account (e.g., dev, stage, prod), you need to:

  1. Authenticate to the security account. All IAM users are defined in this account, you must always authenticate to it first.
  2. Assume an IAM Role in the other AWS account. To access other accounts, you switch to an IAM Role defined in that account.

Note that to be able to access an IAM Role in some account, your IAM User must be in an IAM Group that has permissions to assume that IAM Role.

See the cross-account-iam-roles module for the default set of IAM Roles that exist in each account. For example, to assume the allow-read-only-access-from-other-accounts IAM Role in the prod account, you must be in the IAM Group. See Configure other IAM Users for how you add users to IAM Groups.


Not all of the default roles referenced in the cross-account-iam-roles module are deployed in each account.