Roles Terms and Concepts
These are the following terms and concepts of a role:
-
Role: It is an IAM identity that you can create in your account with specific permissions.
-
AWS service role: A service assumes a role in performing actions in your account on your behalf.
-
AWS service role for an EC2 instance: It is a special service role that an application running on an Amazon EC2 instance can assume to perform actions in your account.
-
AWS service-linked role: It is a unique service role linked directly to an AWS service. It includes all the permissions that the service requires to call other AWS services on your behalf.
-
Role chaining: You use a role to assume a second role through the AWS CLI or API. It is known as role chaining.
-
Delegation: The delegation is the granting permissions to someone to allow access to resources you control. It involves setting up a trust between two accounts.
-
Federation: The Federation is the creation of a trusting relationship between an external identity provider and AWS. Users can sign up via external web identity providers like Amazon, Google, and Facebook.
-
Federated user: The federated users are the existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider.
-
Trust Policy: It is a JSON policy document to define who can use the roles.
-
Permissions policy: A permission policy is a permissions document in JSON format that defines what actions and resources the role can use.
-
Permissions boundary: Permissions boundary is an advanced feature in roles. It uses the permission role to limit the maximum permissions that an identity-based policy can grant.
-
Principle: It is an entity in AWS that can perform actions and access resources. It can be an AWS account root user, an IAM user or a role.
- Role for cross-account access: It is a role that grants access to resources in one account to a trusted principal in a different account.
IAM Roles Use Cases
There are two ways by which we can use the roles.
-
IAM Console: While working in the IAM Console, if IAM users want to use the role, they can temporarily access its permission by giving up their original role permission.
The original permission are restored when IAM users exit the role.
-
Programmatic Access: An AWS Service can use role by requesting security credentials temporarily using the programmatic requests to the AWS.
We can also use the IAM Roles in the following ways,
-
IAM Users
-
Applications and Services
- Federated Users
Some Cases of Roles
Following are some cases of the role:
-
It provides access to an AWS Service.
-
It is used to switch to a role as an IAM user in one AWS account to access another account that you own.
-
It provides access to the third party. When third parties want to access the AWS resources, they can use roles to delegate access to them without sharing security credentials.
- It provides access to externally authenticated users. Like,
-
Web-Identity federation: Users do not require custom sign-in or user identities. Users can use any external identity provider like Amazon, Google, Facebook etc.
- SAML: SAML stands for Security Assertion Markup language. SAML Based federation is an open framework that many identity providers use. It provides single sign-in to access the AWS Management console.
Create an IAM Roles
-
Log in to the AWS Management Console by clicking on https://console.aws.amazon.com/iam/.
-
Choose Roles and then choose Create role in the console's navigation pane.
-
Select AWS account role type.
-
If you want to create a role for your account, choose This account. Otherwise, choose Another AWS account.
-
If you have chosen Another AWS account, enter the Account ID you want to grant access to. If you are giving permissions to users from an account that you do not control, select Require external ID. Suppose you want to restrict the role to users who sign in with multi-factor authentication (MFA), select Require MFA.
-
Choose Next.
-
Select Create policy to create a new policy from scratch.
-
After creating the policy, select the check box next to the permissions policies you want anyone who assumes the role to have.
-
Set a permissions boundary.
-
Open the Set permissions boundary section and choose Use a permissions boundary to control the maximum role permissions and select the policy to use for the permissions boundary.
-
Choose Next.
-
For choosing a role name, enter a name for your role.
-
Enter a description for the new role.
-
Choose Edit in Step 1: Select trusted entities, and Step 2: Add permissions sections to edit the use cases and permissions for the role.
-
Add metadata to the role by attaching tags as key-value pairs.
- Choose to Create role.
Frequently Asked Questions
What do you mean by IAM?
IAM stands for Identity and Access Management. AWS IAM is a service that offers secure access control mechanisms for all of your AWS services and, in some cases, resources. It is the heart of security.
What are the primary elements in AWS IAM identity management?
The AWS IAM identity management consists of:
- Users
- Groups
- Roles
-
Policy
What is the IAM Roles in AWS?
AWS Identity and Access Management (IAM) roles provide a way to access AWS by relying on temporary security credentials.
What are different IAM Roles?
There are three different IAM Roles:
- Basic roles
- Predefined roles.
- Custom roles.
Conclusion
In this article, we have extensively discussed the AWS IAM Roles.
We started with the basic introduction, and then we discussed
- What is the IAM Roles
- Roles Terms and Conditions
- IAM Roles Use cases
- Some Cases of Roles
-
How to create the IAM Role
We hope that this blog has helped you enhance your knowledge regarding AWS IAM Roles and if you would like to learn more, check out our articles on AWS Data Science Certification and AWS Interview Questions. Do upvote our blog to help other ninjas grow.
Head over to our practice platform Coding Ninjas Studio to practice top problems, attempt mock tests, read interview experiences, follow our guided paths, and crack product based companies Interview Bundle.
Happy Reading!
85+ registered