Access to Amazon Web Services accounts owned by third parties - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access to Amazon Web Services accounts owned by third parties

When third parties require access to your organization's Amazon resources, you can use roles to delegate access to them. For example, a third party might provide a service for managing your Amazon resources. With IAM roles, you can grant these third parties access to your Amazon resources without sharing your Amazon security credentials. Instead, the third party can access your Amazon resources by assuming a role that you create in your Amazon Web Services account. To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see What is IAM Access Analyzer?.

Third parties must provide you with the following information for you to create a role that they can assume:

  • The third party's Amazon Web Services account ID. You specify their Amazon Web Services account ID as the principal when you define the trust policy for the role.

  • An external ID to uniquely associate with the role. The external ID can be any identifier that is known only by you and the third party. For example, you can use an invoice ID between you and the third party, but do not use something that can be guessed, like the name or phone number of the third party. You must specify this ID when you define the trust policy for the role. The third party must provide this ID when they assume the role.

  • The permissions that the third party requires to work with your Amazon resources. You must specify these permissions when defining the role's permission policy. This policy defines what actions they can take and what resources they can access.

After you create the role, you must provide the role's Amazon Resource Name (ARN) to the third party. They require your role's ARN in order to assume the role.


When you grant third parties access to your Amazon resources, they can access any resource that you specify in the policy. Their use of your resources is billed to you. Ensure that you limit their use of your resources appropriately.

External IDs for third party access

An external ID allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances. The primary function of the external ID is to address and prevent The confused deputy problem.


Amazon does not treat the external ID as a secret. After you create a secret like an access key pair or a password in Amazon, you cannot view them again. The external ID for a role can be seen by anyone with permission to view the role.

When should I use an external ID?

Use an external ID in the following situations:

  • You are an Amazon Web Services account owner and you have configured a role for a third party that accesses other Amazon Web Services accounts in addition to yours. You should ask the third party for an external ID that it includes when it assumes your role. Then you check for that external ID in your role's trust policy. Doing so ensures that the external party can assume your role only when it is acting on your behalf.

  • You are in the position of assuming roles on behalf of different customers like Example Corp in our previous scenario. You should assign a unique external ID to each customer and instruct them to add the external ID to their role's trust policy. You must then ensure that you always include the correct external ID in your requests to assume roles.

    You probably already have a unique identifier for each of your customers, and this unique ID is sufficient for use as an external ID. The external ID is not a special value that you need to create explicitly, or track separately, just for this purpose.

    You should always specify the external ID in your AssumeRole API calls. In addition when a customer gives you a role ARN, test whether you can assume the role both with and without the correct external ID. If you can assume the role without the correct external ID, don't store the customer's role ARN in your system. Wait until your customer has updated the role trust policy to require the correct external ID. In this way you help your customers to do the right thing, which helps to keep both of you protected against the confused deputy problem.

Example scenario using an external ID

For example, let's say that you decide to hire a third-party company called Example Corp to monitor your Amazon Web Services account and help optimize costs. In order to track your daily spending, Example Corp needs to access your Amazon resources. Example Corp also monitors many other Amazon accounts for other customers.

Do not give Example Corp access to an IAM user and its long-term credentials in your Amazon account. Instead, use an IAM role and its temporary security credentials. An IAM role provides a mechanism to allow a third party to access your Amazon resources without needing to share long-term credentials (such as an IAM user access key).

You can use an IAM role to establish a trusted relationship between your Amazon Web Services account and the Example Corp account. After this relationship is established, a member of the Example Corp account can call the Amazon Security Token Service AssumeRole API to obtain temporary security credentials. The Example Corp members can then use the credentials to access Amazon resources in your account.


For more information about the AssumeRole and other Amazon API operations that you can call to obtain temporary security credentials, see Compare Amazon STS credentials.

Here's a more detailed breakdown of this scenario:

  1. You hire Example Corp, so they create a unique customer identifier for you. They provide you with this unique customer ID and their Amazon Web Services account number. You need this information to create an IAM role in the next step.


    Example Corp can use any string value they want for the ExternalId, as long as it is unique for each customer. It can be a customer account number or even a random string of characters, as long as no two customers have the same value. It is not intended to be a 'secret'. Example Corp must provide the ExternalId value to each customer. What is crucial is that it must be generated by Example Corp and not their customers to ensure each external ID is unique.

  2. You sign in to Amazon and create an IAM role that gives Example Corp access to your resources. Like any IAM role, the role has two policies, a permission policy and a trust policy. The role's trust policy specifies who can assume the role. In our sample scenario, the policy specifies the Amazon Web Services account number of Example Corp as the Principal. This allows identities from that account to assume the role. In addition, you add a Condition element to the trust policy. This Condition tests the ExternalId context key to ensure that it matches the unique customer ID from Example Corp. For example:

    "Principal": {"AWS": "Example Corp's Amazon Web Services account ID"}, "Condition": {"StringEquals": {"sts:ExternalId": "Unique ID Assigned by Example Corp"}}
  3. The permission policy for the role specifies what the role allows someone to do. For example, you could specify that the role allows someone to manage only your Amazon EC2 and Amazon RDS resources but not your IAM users or groups. In our sample scenario, you use the permission policy to give Example Corp read-only access to all of the resources in your account.

  4. After you create the role, you provide the Amazon Resource Name (ARN) of the role to Example Corp.

  5. When Example Corp needs to access your Amazon resources, someone from the company calls the Amazon sts:AssumeRole API. The call includes the ARN of the role to assume and the ExternalId parameter that corresponds to their customer ID.

If the request comes from someone using Example Corp's Amazon Web Services account, and if the role ARN and the external ID are correct, the request succeeds. It then provides temporary security credentials that Example Corp can use to access the Amazon resources that your role allows.

In other words, when a role policy includes an external ID, anyone who wants to assume the role must be a principal in the role and must include the correct external ID.

Key points for external IDs

  • In a multi-tenant environment where you support multiple customers with different Amazon accounts, we recommend using one external ID per Amazon Web Services account. This ID should be a random string generated by the third party.

  • To require that the third party provides an external ID when assuming a role, update the role's trust policy with the external ID of your choice.

  • To provide an external ID when you assume a role, use the Amazon CLI or Amazon API to assume that role. For more information, see the STS AssumeRole API operation, or the STS assume-role CLI operation.

Additional resources

The following resources can help you learn more about providing access to Amazon Web Services accounts owned by third parties.