While cross-account roles are extremely useful for administering multiple AWS accounts, they're not the most intuitive thing to configure. Here's a diagram that illustrates the resources and their interactions:
The first few steps of this recipe are simply creating the Target IAM Role in a clear and repeatable way using CloudFormation.
You must explicitly call out the AWS account number that will be allowed to assume this role. If you want to allow multiple accounts to assume the role, simply add more statements to the AssumeRolePolicyDocument property of the role.
The sample policy created in this template gives full access ...