In AWS Identity and Access Management (IAM), assuming roles allows entities (users, applications, or services) to temporarily gain access to resources with a specific set of permissions. This practice enhances security by adhering to the principle of least privilege and facilitates cross-account or intra-account access management. Below is a comprehensive guide to implementing role assumption in AWS IAM.
1. Prerequisites
1. IAM Permissions: Ensure that the IAM entity (user or service) has sts:AssumeRole permissions.
2. Roles: A pre-existing IAM role with a defined trust policy.
3. AWS CLI or SDK: AWS Command Line Interface or SDK installed for execution.
2. Create an IAM Role
1. Access IAM Console:
Navigate to the AWS Management Console and open the IAM Dashboard.
2. Create a New Role:
Click Roles in the left-hand navigation pane, then select Create Role.
3. Specify Trusted Entity:
Choose the type of trusted entity:
AWS Service for services like Lambda or EC2.
Another AWS Account for cross-account access.
4. Define Trusted Policy:
Specify the AWS account or service allowed to assume the role. Example for cross-account access:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::123456789012:root”
},
“Action”: “sts:AssumeRole”
}
]
}
5. Attach Policies:
Assign permissions to the role by attaching managed or custom policies (e.g., AmazonS3FullAccess).
6. Review and Create:
Name the role and finalize its creation.
3. Assume the Role Using AWS CLI
1. Retrieve Role ARN:
Locate the role’s Amazon Resource Name (ARN) from the IAM Console.
2. Assume Role:
Use the following command to assume the role:
aws sts assume-role –role-arn arn:aws:iam::123456789012:role/MyRoleName –role-session-name MySessionName
3. Store Temporary Credentials:
The response will include temporary Access Key ID, Secret Access Key, and Session Token. Example output:
{
“Credentials”: {
“AccessKeyId”: “AKIAIOSFODNN7EXAMPLE”,
“SecretAccessKey”: “wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY”,
“SessionToken”: “FQoDYXdz…EXAMPLETOKEN”
}
}
4. Export Credentials:
Temporarily set the credentials in your CLI environment:
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=FQoDYXdz…EXAMPLETOKEN
4. Validate Access
1. Run an AWS Command:
Verify the assumed role’s permissions with a test command, such as listing S3 buckets:
aws s3 ls
2. Revoke Session:
Temporary credentials expire automatically. Alternatively, terminate sessions by revoking tokens in the AWS Management Console if required.
Conclusion
Assuming roles in IAM empowers secure and flexible access control, ideal for cross-account setups, delegation, or service-specific permissions. By utilizing STS (Security Token Service) effectively, you enhance the scalability and security posture of your AWS infrastructure.
The article above is rendered by integrating outputs of 1 HUMAN AGENT & 3 AI AGENTS, an amalgamation of HGI and AI to serve technology education globally.