October 15, 2024

How to Create IAM Role CLI

Creating an IAM role specifically for use with the AWS Command Line Interface (CLI) involves several steps. The role itself is typically created to allow an AWS service, user, or application to assume it and perform specific actions using the CLI. However, if you are looking to set up a role that can be assumed via the AWS CLI, the process generally involves the following steps:

Step 1: Create the IAM Role in AWS Management Console

1. Sign in to the AWS Management Console

  • Open your web browser and navigate to the AWS Management Console.
  • Sign in using your AWS account credentials.

2. Navigate to IAM

  • In the AWS Management Console, type “IAM” in the search bar and select “IAM” from the dropdown list to go to the IAM Dashboard.

3. Create a New Role

  • In the IAM Dashboard, click on “Roles” from the left-hand navigation pane.
  • Click the “Create role” button.

4. Select Trusted Entity

  • For most scenarios where you want to use the CLI to assume a role, you’ll select “Another AWS account” if the role is to be assumed by a different AWS account, or “AWS service” if the role is tied to a service like EC2 that will use the CLI to perform actions.
  • If you plan to assume the role from within the same account using the CLI:
    • Select “Another AWS account” and enter your account ID (you can find this on the “My Account” page of your AWS Management Console).
    • Alternatively, you can set up a role for federated users if you plan to assume the role from a federated identity provider.

5. Attach Permissions Policies

  • After selecting the trusted entity, you need to attach the appropriate permissions policies to the role. These policies define what actions can be performed when the role is assumed.
  • Choose one or more policies depending on what you need the role to do. For example:
    • For general administrative tasks: Attach the AdministratorAccess policy.
    • For specific tasks, like S3 management: Attach the AmazonS3FullAccess policy.
  • If none of the predefined policies fit, you can create a custom policy.

6. Configure Trust Relationship

  • This is where you define who or what can assume this role. The trust policy will automatically be generated based on the choices you’ve made, but you can modify it if necessary.
  • Ensure that the trust relationship is correctly configured to allow the AWS CLI (or the user/service using the CLI) to assume the role.

7. Name and Create the Role

  • Provide a descriptive name for the role that reflects its purpose.
  • Review your settings, and if everything looks correct, click “Create role.”

Step 2: Assume the Role Using AWS CLI

To use the IAM role with the AWS CLI, you need to configure the AWS CLI to assume the role. This is done using the aws sts assume-role command to obtain temporary security credentials.

1. Configure AWS CLI with Initial Access

  • Ensure that your AWS CLI is configured with credentials that have permissions to call sts:AssumeRole.
  • Run aws configure and set up your initial credentials:

bash:
aws configure

  • You will be prompted to enter:
    • AWS Access Key ID
    • AWS Secret Access Key
    • Default region name
    • Default output format

2. Assume the IAM Role

  • Use the aws sts assume-role command to assume the role:

bash
aws sts assume-role \
--role-arn arn:aws:iam::ACCOUNT-ID:role/ROLE-NAME \
--role-session-name SESSION-NAME

  • Replace ACCOUNT-ID with your AWS account ID, ROLE-NAME with the name of the role you created, and SESSION-NAME with a unique session name.
  • The command will return a set of temporary security credentials (AccessKeyId, SecretAccessKey, SessionToken).

3. Export Temporary Credentials

  • Use the credentials returned by the assume-role command to set environment variables for your AWS CLI session:
    bash

    export AWS_ACCESS_KEY_ID=your-access-key-id
    export AWS_SECRET_ACCESS_KEY=your-secret-access-key
    export AWS_SESSION_TOKEN=your-session-token

    • These environment variables allow the AWS CLI to make API calls using the assumed role’s permissions.

    4. Execute AWS CLI Commands

    • Now, you can run AWS CLI commands that use the permissions granted by the assumed role:
      bash
      aws s3 ls
    • This command lists the S3 buckets, assuming the role has the s3:ListBucket permission.

    Step 3: Optional – Automate Role Assumption Using AWS CLI Profiles

    To make role assumption easier, you can set up a profile in your AWS CLI configuration that automatically assumes the role:

    1. Edit the AWS CLI config file (~/.aws/config) to add a new profile:

    ini
    [profile role-assumed]
    source_profile=default
    role_arn=arn:aws:iam::ACCOUNT-ID:role/ROLE-NAME

    • Replace ACCOUNT-ID and ROLE-NAME with your account ID and role name respectively.
    • Use the profile to execute commands:
      bash

      aws s3 ls --profile role-assumed

      This setup allows you to use the role without manually running sts assume-role each time.

Leave a Reply

Your email address will not be published. Required fields are marked *