Does an AWS service automatically assume a needed IAM role?



  • Suppose I create a role with AssumeRolePolicyDocument allowing an AWS service (e.g. s3.amazonaws.com) to assume the role - do I need to in some way tell the service to assume the role, or will it automatically assume the role if it needs a permission that the role grants?

    The motivation for this question is S3 Inventory, where according to the docs the S3 principal is what's accessing resources: https://docs.aws.amazon.com/AmazonS3/latest/userguide/configure-inventory.html



  • I think you may have this a little backwards.

    S3 is a service that you may want to access with a role. S3 would not be accessing anything, things access s3.

    So, if you made IAM role ABC, you could set up policy to allow it to list and write to a specific S3 bucket, for example.

    You could also make role ABC assume-able by another role. In that case, you may have a server with default IAM role (instance profile) XYZ and the assume role policy can state that XYZ can assume ABC, which would then let it access S3.

    Any entity is just one role at a time. So, once your server assumed ABC from XYZ, it effectively is just ABC.

    You can also assume roles from IAM users - but IAM users are generally bad practice as they are very losable.

    Assuming a role is a very explicit operation, you have to do it on purpose. Some programs may "seem" like they do it easily by configuration, but in reality if they are assuming a role, they are running very specific code for it, similarly to what you would do to assume the role from a command line.

    Example Tutorial

    Here is a decent AWS tutorial for assuming roles in a CLI to get familiar with it.

    https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/

    The final command looks like this:

    aws sts assume-role --role-arn \
    "arn:aws:iam::123456789012:role/example-role" \
    --role-session-name AWSCLI-Session
    

    But that assumes role arn:aws:iam::123456789012:role/example-role is set up to allow your current role (whatever it is) to assume it. Note that role assumption within an account only requires the target role to allow it, but role assumption between two AWS accounts requires the source and target role to be set upt o allow it.


Log in to reply
 


Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2