Skip to Content
Tech PrinciplesTechnical ResourcesSecurityIAM Role (AWS)

IAM Role and Trust (AWS) 🤝

IAM role

An IAM role is an identity with permissions policies that can be assumed by authorized entities, such as users, applications, or AWS services. Defining a role allows granting temporary access to permissions and resources.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadOnlyPolicyDocument",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}

Where do I get from these temporary credentials?

AWS Security Token Service (STS)

STS is an AWS service that provides temporary security credentials to allow assuming IAM roles or federating identity.

The temporary credentials from STS consist of:

  • Access Key ID - Identifier for API requests
  • Secret Access Key - Secret key for signing API requests
  • Session Token - Additional security token
  • Expiration - Credentials are time-limited

For example, assumed role credentials:

{
  "Credentials": {
    "AccessKeyId": "ASIA...",
    "SecretAccessKey": "HSs0...",
    "SessionToken": "AgoG...",
    "Expiration": "2021-06-15T22:15:58Z"
  }
}

The credentials allow temporary authorization to assume the permissions of the role. But they automatically expire after the specified duration to limit damage if compromised.

STS provides a secure way to delegate access that is short-lived and can be easily revoked. This avoids the risks of distributing long-term credentials.

How do I give the permissions to another entity?

Trust Relationship

The trust policy defines who can assume the role. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/cross-account-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Based on your use case, the Principal will change to enable:

  • EC2 instance roles
  • Cross-account access
  • Identity federation
  • Lambda function roles

Practice: Assuming A Role

You can test this workflow above yourself by creating a user with no rights on your personal AWS account but who gets ‘trusted’ to access a specific S3 bucket.

Here is an example of using the AWS CLI to assume an IAM role:

# AWS CLI with `aws configure` already authenticated with your user having no rights
# but a trust relationship in place
 
# Assume role 
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/ReadOnlyBucketWithTrustRelationship"
 
# Store temporary credentials
export AWS_ACCESS_KEY_ID=$(jq .Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=$(jq .Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=$(jq .Credentials.SessionToken)
 
# Use temporary credentials (AWS CLI knowing and reading these environment variables)
aws s3 cp s3://bucket/remote-file $HOME/local/path/to/file

Alternative and better way to assume a role, add a profile to your $HOME/.aws/config:

[profile my-special-role-name]
role_arn= arn:aws:iam::123456789012:role/ReadOnlyBucketWithTrustRelationship
source_profile=default

then reference your profile using one of these ways:

  • Environment variable: AWS_PROFILE=my-special-role-name
  • Command line arg: --profile=my-special-role-name
Last updated on
CertificatesSecret Management