Providing access to Amazon Web Services accounts owned by third parties - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Providing access to Amazon Web Services accounts owned by third parties

When third parties require access to your organization's Amazon resources, you can use roles to delegate access to them. For example, a third party might provide a service for managing your Amazon resources. With IAM roles, you can grant these third parties access to your Amazon resources without sharing your Amazon security credentials. Instead, the third party can access your Amazon resources by assuming a role that you create in your Amazon Web Services account. To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see What is IAM Access Analyzer?.

Third parties must provide you with the following information for you to create a role that they can assume:

  • The third party's Amazon Web Services account ID. You specify their Amazon Web Services account ID as the principal when you define the trust policy for the role.

  • An external ID to uniquely associate with the role. The external ID can be any identifier that is known only by you and the third party. For example, you can use an invoice ID between you and the third party, but do not use something that can be guessed, like the name or phone number of the third party. You must specify this ID when you define the trust policy for the role. The third party must provide this ID when they assume the role. For more information about the external ID, see How to use an external ID when granting access to your Amazon resources to a third party.

  • The permissions that the third party requires to work with your Amazon resources. You must specify these permissions when defining the role's permission policy. This policy defines what actions they can take and what resources they can access.

After you create the role, you must provide the role's Amazon Resource Name (ARN) to the third party. They require your role's ARN in order to assume the role.


When you grant third parties access to your Amazon resources, they can access any resource that you specify in the policy. Their use of your resources is billed to you. Ensure that you limit their use of your resources appropriately.