Comment on page
Moving between AWS accounts
There isn't usually much to do in your Substrate account. Instead, you'll be assuming roles in other accounts where your real work happens. There are three ways this happens:
Ad-hoc movement throughout your organization is made easy by the
substrate assume-rolecommand. It understands the layout and can convert domains, environments, and qualities into the appropriate AWS account numbers for you.
To get temporary credentials in your example development default account (once you've created such an account), you'd run
substrate assume-role -domain example -environment development -quality default. Without any additional arguments,
substrate assume-roleprints shell environment variables so you should wrap it in
eval. It will also feed the shell an
unassume-rolealias you can use to pop back into your Substrate account:
eval $(substrate assume-role -domain example -environment development -quality default)
# do whatever you like
If you have a specific command you need to run, tack it onto the end thus:
substrate assume-role -domain example -environment development -quality default aws ec2 describe-security-groups
In addition to the forms above that allow specifying a domain, environment, and quality,
substrate assume-rolecan select your management account with
-management, your deploy or network account with
-special network, and your Substrate account with
-admin -quality`` ``
quality. Or you can go completely off-road and specify any arbitrary AWS account with
substrate assume-rolewill carry on with the same role name — Administrator (or OrganizationAdministrator, etc. as appropriate) when you're Administrator, Auditor when you're Auditor, and so on. You can specify a different role name using
A lot of work in your AWS organization hopefully happens in Terraform and not ad-hoc shell sessions.
substrate create-accountcreates a root Terraform module for you with providers configured to assume the appropriate role so you don't have to think about matching credentials in your environment with directories in which you invoke
terraform apply. All you'll ever need to invoke Terraform are those Administrator you get from the Credential and Instance Factories.
The AWS Console includes a “switch role” feature that you're welcome to use but accessing the AWS Console shows that you probably won't need it. In your Substrate-managed AWS organization, access to the AWS Console feels less like switching roles and more like going straight into the account you need to access.