IAM Roles

IAM roles provide this access for a limited amount of time in the form of sessions. The maximum time for this session can be 12 hours. By default, the value for this session is one hour. Temporary security credentials are associated with each of these sessions, which expire when the session ends.

Policies associated with an IAM role

There are mutiple policies associated with an IAM role that dictate the scope of permissions of the role and the entities that are allowed to use the role. These policies are as follows:

• Trust policy: This is a resource-based policy that specifies the entities allowed to assume an IAM role.

• Permissions policy: This is an identity-based policy that specifies the permissions of the role.

An IAM role can have multiple permission policies attached to it, but there can only be one trust policy attached to it. Also, we can create an IAM role without a permission policy, but specifying a trust policy is required during the creation of an IAM role.

Principal entities for an IAM role

Only the entities that are specified as the principal entities in the trust policy of an IAM role can assume that role. These principal entities are of multiple types. The types of principal entities for an IAM role are as follows:

• AWS services: An AWS service cannot use another service without proper authorization. That authorization is provided using the IAM roles. The Principal element of the trust policy is set to the service principalAWS provided service identifier of the service in this case.

• IAM identities: Both IAM users and IAM roles can assume an IAM role to get the permissions provided to that role. The Principal element of the trust policy is set to the ARNAmazon resource name of the IAM identity in this case.

• AWS accounts: Both the current and external accounts can use an IAM role to get the associated permissions. In this scenario, the Principal element of the trust policy is set to the ID of the account.

• Web identities: Users authenticated by specific external web identity providers can also be the principal entity for an IAM role. In this case, the Principal element of the trust policy is set to the DNS of the identity provider.

• External users: External users authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 OpenID Connect or a custom-built identity broker can also be specified as the principal entity in the trust policy of an IAM role.

How IAM roles work

Following is the sequence of steps illustrating how a principal entity utilizes the IAM role:

• Assuming a role: An entity can assume an IAM role by making an AssumeRole API request or by assuming the role using temporary security credentials provided by another trusted entity.

• Temporary credentials: When an entity successfully assumes an IAM role, it receives temporary security credentials consisting of an access key ID, a secret access key, and a session token. These credentials are valid for a limited duration specified by the role's configuration.

IAM roles are powerful tools for managing access to AWS resources securely. By understanding their purpose and components, we can effectively leverage IAM roles to grant temporary, fine-grained permissions to entities within and outside our AWS account, ensuring secure and efficient resource access.