AWScloud~30 mins

IAM roles concept in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

IAM Roles Concept

📖 Scenario: You are setting up permissions for an AWS Lambda function to access an S3 bucket securely. To do this, you need to create an IAM role that the Lambda function can assume. This role will have a policy attached that allows reading objects from the S3 bucket.

🎯 Goal: Create an IAM role with a trust policy for Lambda service, attach a permission policy to allow reading from a specific S3 bucket, and configure the Lambda function to use this role.

📋 What You'll Learn

Create an IAM role named LambdaS3ReadRole with a trust policy allowing Lambda service to assume it.

Create an inline policy named S3ReadPolicy that allows s3:GetObject on the bucket example-bucket.

Attach the S3ReadPolicy inline policy to the LambdaS3ReadRole role.

Configure a Lambda function named MyLambdaFunction to use the LambdaS3ReadRole role.

💡 Why This Matters

🌍 Real World

IAM roles are essential for securely granting AWS services permissions to access other AWS resources without sharing long-term credentials.

💼 Career

Understanding IAM roles and policies is critical for cloud engineers and developers to implement secure and least-privilege access in AWS environments.

Progress0 / 4 steps

Create IAM Role with Trust Policy

Create an IAM role named LambdaS3ReadRole with a trust policy that allows the Lambda service (lambda.amazonaws.com) to assume this role. Use the AWS CLI JSON format for the trust policy document.

AWS

# Your code here to create the IAM role LambdaS3ReadRole with trust policy

Need a hint?

The trust policy must allow the Lambda service to assume the role using sts:AssumeRole.

Create Inline Policy for S3 Read Access

Create an inline policy named S3ReadPolicy that allows the action s3:GetObject on the resource arn:aws:s3:::example-bucket/*. Use the AWS CLI JSON format for the policy document.

AWS

aws iam create-role --role-name LambdaS3ReadRole --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
# Your code here to create the inline policy S3ReadPolicy

Need a hint?

The inline policy must allow s3:GetObject on all objects in example-bucket.

Attach Inline Policy to IAM Role

Attach the inline policy S3ReadPolicy to the IAM role LambdaS3ReadRole. (This is done in step 2 with put-role-policy, so no new command is needed here. Just confirm the policy is attached.)

AWS

aws iam create-role --role-name LambdaS3ReadRole --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
aws iam put-role-policy --role-name LambdaS3ReadRole --policy-name S3ReadPolicy --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*"}]}'
# Confirm the inline policy is attached (no new code needed)

Need a hint?

The inline policy is attached using put-role-policy in step 2, so no new command is needed here.

Configure Lambda Function to Use IAM Role

Create a Lambda function named MyLambdaFunction and configure it to use the IAM role LambdaS3ReadRole. Use the AWS CLI command to create the function with the role ARN. Assume the deployment package is function.zip and the handler is index.handler with runtime python3.12.

AWS

aws iam create-role --role-name LambdaS3ReadRole --assume-role-policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}'
aws iam put-role-policy --role-name LambdaS3ReadRole --policy-name S3ReadPolicy --policy-document '{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*"}]}'
# Your code here to create MyLambdaFunction with role LambdaS3ReadRole

Need a hint?

Use the full ARN of the role LambdaS3ReadRole in the --role parameter. Replace 123456789012 with your AWS account ID.