Due to that some tasks require root user credentials, from time to time we need to login into an AWS account as root, e.g removing a misconfigured S3 bucket policy which denies all principals.
Conventionally, we login into the account from the AWS login console with root user email, password and MFA. Now, there is a better way to login as root to the member account in an Organization – Centrally managing root access for customers using AWS Organizations.
Simply there are only 2 steps:
First, Enable this feature in IAM in the Organizations mater/management account. Optionally, you can choose a delegated administrator account. This can be done either via console or command line.
➜ aws organizations enable-aws-service-access --service-principal iam.amazonaws.com
➜ aws iam enable-organizations-root-credentials-management
➜ aws iam enable-organizations-root-sessionsSecond, grant the target role with sts:AssumeRoot permission.
That’s it. Here is the command to assume into an account as root with provisioned permissions (which is a very good security practices to restrict what the root user can do).
aws sts assume-root --target-principal <account_id> --task-policy-arn arn=<policy_id>Here is a example to only allow the root user to manage S3 bucket policy in account 123456789000.
aws sts assume-root --target-principal 123456789000 --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicyThere are 5 policies that are available in the /root-task path for you to use.
➜ ~ aws iam list-policies --path-prefix /root-task/
{
"Policies": [
{
"PolicyName": "SQSUnlockQueuePolicy",
"PolicyId": "ANPAZKAPJZG4HPZI4FDUV",
"Arn": "arn:aws:iam::aws:policy/root-task/SQSUnlockQueuePolicy",
"Path": "/root-task/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-11-06T21:51:02+00:00",
"UpdateDate": "2024-11-06T21:51:02+00:00"
},
{
"PolicyName": "S3UnlockBucketPolicy",
"PolicyId": "ANPAZKAPJZG4OALTIPZOF",
"Arn": "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy",
"Path": "/root-task/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-11-06T21:55:56+00:00",
"UpdateDate": "2024-11-06T21:55:56+00:00"
},
{
"PolicyName": "IAMAuditRootUserCredentials",
"PolicyId": "ANPAZKAPJZG4BDSCREYVS",
"Arn": "arn:aws:iam::aws:policy/root-task/IAMAuditRootUserCredentials",
"Path": "/root-task/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-11-06T22:27:58+00:00",
"UpdateDate": "2024-11-06T22:27:58+00:00"
},
{
"PolicyName": "IAMCreateRootUserPassword",
"PolicyId": "ANPAZKAPJZG4OEGTN7YT5",
"Arn": "arn:aws:iam::aws:policy/root-task/IAMCreateRootUserPassword",
"Path": "/root-task/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-11-06T22:32:59+00:00",
"UpdateDate": "2024-11-06T22:32:59+00:00"
},
{
"PolicyName": "IAMDeleteRootUserCredentials",
"PolicyId": "ANPAZKAPJZG4CX73XKORQ",
"Arn": "arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials",
"Path": "/root-task/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2024-11-06T22:47:58+00:00",
"UpdateDate": "2024-11-06T22:47:58+00:00"
}
]
}Here is a handy bash script to assume the root, then set the credential environment variables.
eval $(aws sts assume-root --target-principal 123456789000 --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy --output json | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId) AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey) AWS_SESSION_TOKEN=\(.SessionToken)"')
aws sts get-caller-identity --no-cli-pager
Jackie Chen's IT Workshop 