IAM Role

An IAM Role is an AWS Identity that has permissions to perform actions on AWS services but isn't associated with a specific user or group. Instead, IAM roles are assumed by AWS Services, IAM Users, or external identities to gain temporary access to AWS resources.

IAM Roles use temporary security credentials and are commonly used for:

• Granting AWS Services access to other AWS resources.

• Allowing users from other AWS Accounts or identity providers to access AWS.

• Enabling applications and workloads running outside AWS to securely access AWS Services.

Key Features of IAM Roles

• No long-term credentials:
  Uses temporary security tokens via AWS STS.

• Can be assumed by entities:
  Users, applications, AWS Services, or external identities.

• Fine-grained access control:
  Policies define what actions the role can perform.

• Used in cross-account access:
  Allows sharing of resources between AWS Accounts.

• Federated Access:
  Works with third-party identity providers 

How IAM Roles Work

• A trusted entity such as user, services or application assumes the role.

• AWS Security Service (STS) issues temporary security credentials.

• The entity uses these credentials to access AWS Services.

• Credentials expire after a short period, ensuring security.

Example Use Case: AN EC2 instance needs to read an S3 bucket. Instead of storing static credentials, an IAM role is assigned to the instance to grant necessary permissions.

Components of an IAM Role

Component	Description
Trust Policy	Defines who can assume the role.
Permissions Policy	Defines what actions/resources the role can access.
Session Duration	Temporary credentials expire after a specific time(Default 1 hour max 12 hours.)
Assume Role Action	AWS STS is used to assume the role and obtain credentials.

Example: Trust Policy for an IAM Role (EC2 Instance Access)

{   "Version": "2012-10-17",   "Statement": [     {     "Effect": "Allow"     "Principal": {       "Service": "ec2.amazonaws.com"       },       "Action": "sts:AssumeRole"     } ] }

This allows EC2 Instance to assume the role.

Types of IAM Roles

AWS provides different types of IAM roles for different use cases:

• Service Role (AWS Service Role)

• Role for Cross-Account Access

• Role for Identity Federation.

Service Role (AWS Service Role)

• Used by AWS Services Such as EC2, Lambda, RDA to access other AWS resources.

• Example: An EC2 instance role to access an S3 bucket.

• Assigned directly to AWS Services via the AWS Console or CLI.

Example: EC2 Role to Read S3

{   "Version": "2012-10-17",   "Statement": [   {     "Effect": "Allow",     "Action": [       "s3:ListBucket",       "s3:GetObject"     ],     "Resource": "arn:aws:s3::::my-bucket/*"      }   ] }

Role for Cross-Account Access

• Used to grant access between AWS Accounts.

• Example: A role in Account A that users from Account B can Assume.

Example, Trust policy for cross-account access (Allows Account B to Assume Role.)

{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Principal": {         "AWS": "arn:aws:iam::ACCOUNT-B-ID:root"       },       "Action": "sts:AssumeRole"     }   ] }

Role for Identity Federation

• Allows users from external identity to access AWS (e.g., SSO, Google, Active Directory).

• Used for SSO (Single Sign-On) with services like google, okta, or Active Directory

Example, Role for Google Authentication

{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Principal": {         "Federated": "accounts.google.com"       },       "Action": "sts:AssumeRoleWithWebIdentity"     }   ] }

How to Create an IAM Role

Method 1: Using AWS Management Console

1. Go to IAM Console → Click Roles → Create Role.

2. Select Trusted Entity (AWS Service, Another AWS Account, or Identity Provider)

3. Attach Permissions (Select an existing policy or create a new one)

4. Name the Role and add an optional description

5. Create Role, The role is now ready to be assumed.

Method 2: Using AWS CLI

Step1: Create a Trust Policy JSON File. (trust-policy.json)

{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Principal": {         "Service": "ec2.amazonaws.com"       },       "Action": "sts:AssumeRole"     }   ] }

Step2: Create the IAM Role

Run the following AWS CLI Command:

$ aws iam create-role --role-name 'MyEC2Role' --assume-role-policy-document 'file://trust-policy.json'

Step3: Attach a Policy to the Role

Attach an S3 Read-Only Policy to the role:

$ aws iam attach-role-policy --role-name 'MyEC2Role' --policy-arn 'arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess'

Step4: Verify Role Creation

$ aws iam get-role --role-name 'MyEC2Role'

Assuming an IAM Role

Entities such as users, services, or applications assume a role to get temporary credentials.

AWS CLI Example: Assume a Role

$ aws sts assume-role --role-arn "arn:aws:iam::ACCOUNT-ID:role/MyRole" --role-session-name "Session1"

• This returns temporary security credentials (AccessKey, SecretKey, SessionToken).

Best Practices for IAM Roles

• Use IAM Role instead of IAM Users:
  Avoid long-term credentials.

• Apply Least Privilege:
  Assign Only Necessary Permissions

• Use Conditions:
  Restrict access by IP, MFA, or time-based conditions.

• Monitor Role Activity:
  Use AWS CloudTrail for tracking role usage.

• Rotate IAM Roles Regularly:
  Update role and policies periodically.