In AWS Identity and Access Management (IAM), a role is an IAM identity that you can create in your AWS account with specific permissions. Unlike IAM users, which have long-term credentials (like a username and password or access keys), IAM roles do not have associated credentials. Instead, a role is designed to be assumed by trusted entities, such as users, applications, or AWS services, that need temporary credentials to interact with AWS resources.
Key Concepts of IAM Roles
- Temporary Security Credentials:
- When an entity assumes an IAM role, it receives temporary security credentials (access key ID, secret access key, and session token) that are valid for a specified period of time (from a few minutes to several hours). These credentials allow the entity to interact with AWS services according to the permissions defined in the role.
- Trust Policy:
- Every IAM role has an associated trust policy that defines which entities (users, services, or accounts) are allowed to assume the role. The trust policy specifies the conditions under which the role can be assumed.
- Permissions Policy:
- Roles have one or more permissions policies attached to them. These policies define what actions the role can perform on which AWS resources. The permissions granted to the role are enforced whenever the role is assumed.
- No Long-Term Credentials:
- Roles do not have long-term credentials, making them more secure for temporary access scenarios. Roles help avoid the risk of long-term credential exposure.
Types of IAM Roles
- Service Roles:
- Definition: These roles are assumed by AWS services to perform actions on your behalf. For example, an EC2 instance might assume a role to interact with S3 or DynamoDB without requiring you to embed credentials in the instance.
- Use Case: When you need to grant AWS services permissions to manage your resources. For example, allowing an EC2 instance to read data from an S3 bucket.
- Cross-Account Roles:
- Definition: These roles allow users or services in one AWS account to assume a role in another AWS account. This is useful for organizations with multiple AWS accounts that need to share resources.
- Use Case: When you need to allow access to resources in one account from another account. For example, allowing an application in Account A to access resources in Account B.
- Identity Provider (IdP) Roles:
- Definition: These roles are used for federated access to AWS, allowing users who have been authenticated by an external identity provider (e.g., SAML, OpenID Connect) to assume a role and access AWS resources.
- Use Case: When you need to provide single sign-on (SSO) access to AWS for users authenticated by an external identity provider, such as Active Directory Federation Services (AD FS) or Okta.
- Service-Linked Roles:
- Definition: These are special roles that are predefined by AWS and linked directly to a specific AWS service. AWS automatically creates and manages these roles, and they are required for the service to perform certain operations on your behalf.
- Use Case: When an AWS service needs specific permissions to manage resources in your account, such as Amazon RDS managing its instances or AWS Systems Manager managing EC2 instances.
Creating an IAM Role
Here’s how you can create an IAM role in the AWS Management Console:
1. Sign In to the AWS Management Console
- Visit the AWS Management Console: Open your web browser and go to the AWS Management Console.
- Sign In: Enter your AWS account credentials. Use either your root account or IAM credentials to sign in.
2. Navigate to IAM
- Access IAM: Once logged in, navigate to the IAM service. You can do this by typing “IAM” into the search bar at the top of the AWS Management Console and selecting “IAM” from the dropdown list.
3. Create a New Role
- Roles: In the IAM Dashboard, click on “Roles” in the left-hand navigation pane.
- Create Role: Click the “Create role” button at the top of the Roles page.
4. Select Trusted Entity
- AWS Service: Select this option if the role will be assumed by an AWS service (e.g., EC2, Lambda).
- Another AWS Account: Select this if you want to allow a different AWS account to assume this role.
- Web Identity: Select this if you’re setting up a role for federated access via a web identity provider like Amazon Cognito.
- SAML 2.0 Federation: Select this if you’re using an external SAML 2.0 identity provider for single sign-on.
5. Attach Permissions Policies
- Attach Policies: Choose one or more policies to attach to the role. These policies define what actions are allowed when the role is assumed.
- Create Custom Policy: If none of the predefined policies fit your needs, you can create a custom policy to attach to the role.
6. Configure Trust Relationship
- Trust Policy: AWS automatically configures the trust policy based on the type of trusted entity you selected. You can modify this trust policy if needed.
7. Name and Create the Role
- Role Name: Enter a name for the role. The name should be descriptive of the role’s purpose.
- Create Role: Review the role details, and if everything looks correct, click “Create role.”
Using an IAM Role
Once an IAM role is created, it can be assumed by trusted entities. Depending on the role type:
- Service Roles: AWS services will automatically assume the role to perform tasks.
- Cross-Account Roles: Users or services in another AWS account will assume the role by using the AWS Security Token Service (STS)
AssumeRole
API. - Federated Roles: Users authenticated by an external IdP can assume the role via SAML or web identity federation.
- Service-Linked Roles: AWS services manage the role automatically, and it is assumed as needed.
Listing IAM Roles
To view all the IAM roles in your AWS account:
- Go to IAM Roles Page: In the IAM Dashboard, click on “Roles” in the left-hand navigation pane.
- View Role Details: Click on any role’s name to view its details, including the attached policies, trust relationships, and session details.
Deleting an IAM Role
If you no longer need a role, you can delete it as follows:
- Go to IAM Roles Page: In the IAM Dashboard, click on “Roles” in the left-hand navigation pane.
- Select the Role to Delete: Find the role you want to delete and click on its name to view the details.
- Delete Role: At the top of the role’s details page, click the “Delete” button. Confirm the deletion in the pop-up dialog.
Best Practices for IAM Roles
- Use Roles Over Long-Term Credentials: Prefer using roles with temporary credentials over long-term credentials (like access keys) to reduce security risks.
- Limit Role Permissions: Apply the principle of least privilege by attaching only the necessary permissions to a role.
- Monitor Role Usage: Use AWS CloudTrail and AWS Config to monitor role assumptions and actions performed using roles.