Amazon Computer Services
What is IAM Role?
An IAM role is an AWS Identity. Every IAM role has its own permission policy that defines what that role can do and what it cannot do.
It is like an IAM user without a password or an access key and a secret key.
An IAM policy can be associated with an IAM user or group, whereas an IAM role cannot be associated with a user or a group. It can be assumed by a user, application, or service to delegate access to an AWS resource within the same or another account.
It dynamically generates a temporary access key and secret key that can be assumed by an entity for authentication. Once a role is assumed, an entity can make API calls to AWS services permitted to the role assumed by the entity.
For example, a role can be assigned to an EC2 instance with permission to access DynamoDB and RDS Database. An application hosted on the EC2 can assume the role and make API calls to access DynamoDB or database on RDS.
Similarly, if we want to allow your web or mobile application to access AWS resources, but you don’t want to hardcode an access key and secret key in the application code, an IAM role can come to the rescue.
IAM roles can also be used to provide federated access to AWS services using Microsoft Active Directory (AD), LDAP, or similar identity providers. In the subsequent sections, we will get into the details of these aspects.
In a nutshell, AWS resource permissions in the form of IAM policies are attached to the IAM roles rather than being attached to the IAM users or groups.
IAM roles can be assumed by:
- An IAM user in the same AWS account.
- An IAM user in a different AWS account.
- AWS web services (for example, EC2).
- External user authentication software that uses an external Identity Provider (IdP), compatible with Security Assertion Markup Language (SAML) 2.0 or OpenID Connect (OIDC) or custom identity broker.
Let’s start with understanding some of the important terminologies with respect to the IAM role. These terminologies are:
Delegation is a way to extend an entity’s permission on AWS resources, to other users or applications, allowing them to perform certain operations on the resources. It involves creating a trust between the account where the AWS resources are hosted and the account that contains the user that needs to access these resources.
The source account where the AWS resources are available is called a trusting account, and the account from where the user wants to access those source resources is called a trusted account.
Trusting (source) and trusted (destination) accounts can be:
- The same AWS account.
- Two different accounts managed by the same organization.
- Two different accounts managed by different organizations.
To delegate permission, you need to attach two policies to the IAM role. One policy defines the permissions to be given, and another is a trust policy that defines trusted accounts that are allowed to grant its user permission to assume the role.
Identity federation is a mechanism through which applications can use external IdPs for authenticating users rather than writing custom sign-in code for authenticating the users.
These external IdPs include Amazon, Facebook, Google, or any IdP that is compatible with OIDC, MS AD, or LDAP that supports SAML 2.0 to configure token-based authentication mechanisms between external IdPs and AWS-hosted applications.
The policy is a JSON formatted document and written as per IAM policy notation. It defines the permissions to be granted to an IAM role. Policies can also be written for attaching it to IAM users and groups.
It is an element that is generally used in a policy to denote a user (IAM user, federated user, or assumed role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource. Specified users are allowed or denied access to perform actions on AWS resources.
When AWS resources existing in one account are being accessed from another account based on a trust relationship, it is called cross-account access. IAM roles are a primary way to grant cross-account access.