AWScloud~5 mins

IAM roles concept in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes, you want a service or user to do things in your cloud account without sharing your password. IAM roles let you give permissions safely to services or people for a short time without sharing long-term credentials.

When an application running on a server needs to access cloud storage without embedding passwords.

When you want to allow a user from another AWS account to access your resources temporarily.

When a Lambda function needs permission to read from a database.

When you want to give temporary access to a developer without sharing your main credentials.

When an EC2 instance needs to upload files to S3 securely.

Config File - trust-policy.json

trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This JSON file defines who can use the role. Here, it allows EC2 instances to assume the role and get permissions attached to it.

Version: The policy language version.

Statement: The rules. This one allows EC2 service to assume the role.

Commands

Create a new IAM role named MyEC2Role with a trust policy that allows EC2 instances to use it.

Terminal

aws iam create-role --role-name MyEC2Role --assume-role-policy-document file://trust-policy.json

Expected OutputExpected

{ "Role": { "Path": "/", "RoleName": "MyEC2Role", "RoleId": "AROAJEXAMPLEID", "Arn": "arn:aws:iam::123456789012:role/MyEC2Role", "CreateDate": "2024-06-01T12:00:00Z", "AssumeRolePolicyDocument": "{...}" } }

→

--role-name - Sets the name of the new role.

→

--assume-role-policy-document - Specifies the trust policy JSON file.

Attach a policy to the role that allows read-only access to Amazon S3 buckets.

Terminal

aws iam attach-role-policy --role-name MyEC2Role --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Expected OutputExpected

No output (command runs silently)

→

--role-name - Specifies which role to attach the policy to.

→

--policy-arn - Specifies the Amazon Resource Name of the policy to attach.

Check which policies are attached to the role to confirm the permissions.

Terminal

aws iam list-attached-role-policies --role-name MyEC2Role

Expected OutputExpected

{ "AttachedPolicies": [ { "PolicyName": "AmazonS3ReadOnlyAccess", "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" } ] }

→

--role-name - Specifies the role to list policies for.

Key Concept

If you remember nothing else from this pattern, remember: IAM roles let services or users get temporary permissions safely without sharing passwords.

Common Mistakes

Not setting the correct trust policy to allow the service to assume the role.

Without the right trust policy, the service cannot use the role, so permissions won't work.

Always create or update the trust policy to include the correct service or user that needs the role.

Attaching no policies or wrong policies to the role.

The role has no permissions or insufficient permissions to perform actions.

Attach the exact policies that grant the needed permissions for the role's purpose.

Trying to use the role without configuring the service (like EC2) to assume it.

The service won't automatically get the role's permissions without proper configuration.

Assign the IAM role to the service instance or resource properly, for example, when launching an EC2 instance.

Summary

Create an IAM role with a trust policy that defines who can use it.

Attach permission policies to the role to grant needed access.

Verify attached policies to ensure the role has correct permissions.