Access to AWS console for third party using cross-account?

There are two companies: Client and Contractor. Both have AWS accounts. I'm looking for simple but secure way to get staff from contractor team access to client's AWS console. Yep, I'm on the Contractor's side.

The ways I can remember so far:

• create a user in Client's account and provide login/password. As far as I know it is not recommended. Also, it can be a headache for Contractor who has many clients to manage all credentials and quite uncomfortable to switch between accounts during the working day (the main reason).
• federation. Possible pitfall: client needs to add the federation provider, if the provider is Contractor's AD then for me it does not look better than just create account. Using 3rd (4th?) party identity provider (google) does not look good for me because my paranoia protest against exposing Contractor's credentials for internal-only use to public BigBrother-like service. Perhaps I'm wrong or something missing here, will be glad to hear your well-founded opinion.
• use cross-account access (recommended).

The third one looks like the most correct but the problem is: so far I cannot find a ready way to do so. My findings: How to Use an External ID [...] , Providing Access to AWS Accounts [...] and How to Enable Cross-Account Access to the Console. Neither of them is ready-use and rather gives you idea where to move on. Also I know Rackspace has their own solution for this purpose but was unable to find the code.

So I'll repeat: I'm looking for simple but secure way to get staff from contractor team access to client's AWS console. I will be glad to save some efforts and not to re-invent a bicycle. Do you know/have such solution?