If you need to assume role between AWS accounts, or allow an account to assume a role and use resources in another AWS account, then you need to create a role and attach the following policy.
The following two (2) steps creates a Trust Relationship between the accounts.
Step 1 – In the Source Account
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::DESTINATION-ACCOUNT-ID:role/DESTINATION-ROLENAME"
]
}]
}
Step 2 – In the Destination Account
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE-ACCOUNT-ID:role/SOURCE-USERNAME"
},
"Action": "sts:AssumeRole"
}]
}