I got recently the need to access resources from mulitple AWS accounts. For example, let’s say that you have a monitoring service (i.e Sensu) and you want to monitor AWS resources (EC2 instances, RDS databases, …) which are in mulitple AWS accounts (accounts per services or per environment as dev and production).
You basicaly have two solutions here. The first one is to create an user for your monitoring service in each account and play with what AWS calls “SharedCredentials”. You will put all your credentials in a file like
~/.aws/credentials and define which profile you want to use in your script or try to look into all your accounts to find the resource you want. This solution will work but it means that you will have to maintain multiple users and so mulitple set of AWS credentials.
Having to maintain mulitple set of credentials for only one script can be painful. To fix that, you can use the second solution : IAM roles.
As define in this walkthrough from the AWS documentation : Delegating Access Across AWS Accounts For Accounts You Own Using IAM Roles, create a cross account IAM Role is pretty easy.
Once you have your role here is an example to use it with the Ruby AWS SDK :
You can see a real life example here : https://github.com/Pryz/sensu/blob/master/awsdecomm.rb, a Sensu handler to clean out old Sensu clients from AWS instance which have been decommissioned.