AWS dominates the cloud computing market, holding more market share than its two biggest rivals, Microsoft Azure and Google Cloud.
What Is an AWS IAM Role?
AWS Identity and Access Management (IAM) is the system that controls who can access certain AWS resources and what actions they can take. Once a user is verified, IAM serves as the primary barrier to stop unauthorized actions and misuse of resources. In simple terms, IAM ensures the integrity and confidentiality of an AWS environment.
AWS IAM roles, like IAM users, are AWS identities with particular permissions. Anyone in need of it can assume it, and it offers temporary security credentials. Users, apps, or services that don’t frequently use AWS resources can be granted access through roles. Access to resources, individuals with identities outside of AWS, and third parties for auditing purposes can all be granted using them.
Any of these entities can assume a role to use its permissions.
- AWS service
- AWS user from the same account
- AWS user from another account
- Federated identity
Types of IAM Roles
AWS IAM roles fall into one of the following major categories based on their trust policies:
- Service role
- Service-linked role
- Web Identity role
- SAML 2.0 federation role
- Custom IAM role
AWS IAM Role-Use Cases
Integrate workforce identities into AWS: With IAM Identity Center, users can log in to AWS accounts using their existing corporate credentials. You can define permissions for users accessing AWS accounts through IAM roles.
Get exclusive access to all things tech-savvy, and be the first to receive
the latest updates directly in your inbox.
Access workloads in AWS: A workload consists of resources and code, like an application, that needs an identity to request AWS services. AWS IAM roles allow your application, whether on Amazon EC2 instances or other AWS compute environments, to access AWS resources using temporary credentials, eliminating the need for long-term credentials.
Access workloads outside of AWS: If you have workloads running outside AWS, such as on-premises, hybrid, or multicloud setups, they may need access to your AWS resources. IAM Roles Anywhere enables your applications outside AWS to gain temporary access to resources in your AWS environment.
Enable cross-account access: It is advisable to use multiple AWS accounts to separate and manage your business applications and data. To let identities in one AWS account access resources in another, you can use AWS IAM roles for access.
Grant access to AWS services: AWS services require permission to act in your AWS account on your behalf. When setting up an AWS service environment, you create a role for the service to take on. The service can then assume this role and perform only the actions you have allowed.
Overview of How AWS IAM Roles Work
- Root user: The original user who has the most access to all AWS resources and services.
- Individuals or services with certain authorization to use AWS resources are known as IAM users. Security credentials might be unique for each user.
- IAM roles: Give users, groups, apps, or other AWS services particular permissions.
- IAM groups: Give permissions to several users at once, and each user will inherit the group’s permissions.
Advantages of Using AWS IAM Roles
- They remove the need to handle long-term security credentials.
- They enable Single Sign-On (SSO) through SAML 2.0.
- They allow web identity federation, enabling users to log in through popular external identity providers (IdPs) like Amazon, Facebook, Google, etc.
- Enhanced security is achieved since there is no need to rotate and replace short-term credentials, as these already have a set expiration.
- IAM roles cater to various scenarios, including cross-account access, identity federation, IAM roles anywhere, and more.
Prerequisites for Creating IAM Roles
Creating a Custom IAM Role in AWS
- First, log into your AWS account and head over to the IAM service.
- From the dashboard or side navigation, find the roles panel.
- Just ignore any pre-existing roles you see in the roles panel.
- Hit the “Create role” button to start making a new role.
- Choose the “Custom trust policy” option and input the Amazon Resource Name (ARN) of the AWS IAM user.
- Copy that ARN and paste it as a key-value pair, using “AWS” as the key.
- Take a moment to review the trust policy and pick a permission policy for your role.
- Select the existing managed policy called AmazonRDSFullAccess to give full access to the AWS RDS service.
- Keep all other settings as they are and click next.
- Name your role AWSIAMRoleForRDS and write the description as “AWS IAM role for RDS”.
- Finally, review everything and click on the “Create role” button.
Step-by-Step: Create IAM Role Using AWS Console
IAM roles allow access to AWS resources by creating trust relationships between the account that trusts and other accounts that are trusted. The account that trusts owns the resource, while the trusted account manages access. The AWS Security Token Service (AWS STS) AssumeRole API operation offers temporary security credentials for accessing AWS resources in the trusted account.
You can utilize the AWS Management Console to set up a role that an IAM user can take on. For instance, imagine that your organization has several AWS accounts to separate a development environment from a production environment.
Step-by-Step: Create IAM Role Using AWS CLI
When using the CLI, we can set up an AWS profile to take on a role. To use AWS profiles, you need to have the AWS CLI installed with the default profile already set up. If it’s not configured, please follow this link for setup.
{<br>"Version": "2012-10-17",<br>"Statement": [<br>{<br>"Effect": "Allow",<br>"Principal": { "AWS": "arn:aws:iam::123456789012:root" },<br>"Action": "sts:AssumeRole",<br>"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }<br>}<br>]<br>}Using profiles
Open the AWS config file, which is for setting up AWS profiles. You can find this file at ~/.aws/config on macOS or Linux, and at C:\Users\USERNAME.aws\config on Windows.
Create a new profile named rdsadmin. When making a profile for a role, two keys are necessary:
– Role ARN: This can be found on the role details page.<br>– Source profile: The AWS CLI uses the credentials from this profile to assume the role. We will select the default profile.<br>[profile rdsadmin]<br>role_arn = arn:aws:iam::123456789012:role/AWSIAMRoleForRDS<br>source_profile = defaultOnce the config is updated, we can use the –profile flag with any CLI command to utilize the assumed role. For example, we can run the following command to describe all database instances using the assumed rdsadmin role.
aws rds describe-db-instances –profile rdsadmin
To stop using a role (Using profiles)
To stop using the assumed role and revert to the original credentials, execute the commands without the –profile flag. The AWS CLI will default to using the credentials from your default profile if the –profile flag is not included.
Step-by-Step: Create IAM Role Using Terraform
resource "aws_iam_role" "lambda_exec_role" {
name = "lambda_exec_role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Action = "sts:AssumeRole",
Effect = "Allow",
Principal = {
Service = "lambda.amazonaws.com"
}
}
]
})
}
resource "aws_iam_role_policy_attachment" "lambda_policy" {
role = aws_iam_role.lambda_exec_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"You can use the AWS Management Console to set up a role that an IAM user can take on. For instance, imagine that your organization has several AWS accounts to separate a development environment from a production environment.
Creating an IAM role (AWS API
To create a role in code using the AWS API, follow these steps: CreateRole, specify a file location for the role’s trust policy, attach a managed permission policy or create an inline policy. Grant individual users in the trusted account permissions to switch roles, add custom attributes with TagRole, and set the permissions boundary for the role.
Common Misconfigurations in IAM Roles
- Misconfigurations can happen because of complicated system designs, human error, or lack of technical knowledge.
- IAM roles are crucial as they set the limits for organizational data and services.
- Common IAM role misconfigurations include:
- Unused IAM roles: Only 1% of permissions given to cloud identities are actually utilized. Removing these roles can lessen the attack surface.
- Overly permissive roles: If roles with excessive permissions are breached, attackers could alter or erase essential resources.
- Static IAM role keys: Regularly changing static access keys can heighten the risk of leakage or misuse.
- Not using condition statements in role policies: Without condition statements, permission boundaries may be too broad.
- The confused deputy problem in cross-account access: Use an external ID known only to the customer and a trusted AWS account to avoid manipulation.
Conclusion
AWS IAM roles are vital for enhancing IAM services, boosting security, and are key for cross-account access, identity federation, and identity management when fully utilized.
Creating an AWS IAM role is an essential skill in any AWS environment, the only way to do it right is to follow the examples discussed above very confidently, so if done right roles give you secure, flexible, and auditable access accross services.
Build a foundations efficiently and build a foundation that’s ready for scale, automation and real-world DevOps.
FAQ’s
1. How do IAM users and roles differ from one another? Users are identities that never change. Services or users temporarily assume roles.
2: Is it possible to create a role that has several trust entities? Yes, simply specify a number of principles in the trust policy.
3: How can I add more than one policy to an AWS IAM role? Make use of Terraform resources or several attach-role-policy commands.
4: Can I create more than one role? Indeed, each account has a $1,000 soft limit, though this can be raised.
5: Is it better to use custom or managed policies? Start with AWS-managed and then switch to custom for more control.
