0
0
AwsHow-ToBeginner · 4 min read

How to Create IAM Role in AWS: Step-by-Step Guide

To create an IAM role in AWS, define a trust policy that specifies who can assume the role, then attach permission policies that grant the role access to AWS resources. Use the AWS Management Console, AWS CLI, or Infrastructure as Code tools like AWS CloudFormation to create the role with these policies.
📐

Syntax

An IAM role requires two main parts: a trust policy that defines who can use the role, and permission policies that define what the role can do.

The trust policy is a JSON document specifying the trusted entities (like AWS services or users). The permission policies are JSON documents that grant permissions.

json
{
  "RoleName": "string",
  "AssumeRolePolicyDocument": "string (JSON trust policy)",
  "Description": "string (optional)",
  "MaxSessionDuration": number (optional, seconds),
  "PermissionsBoundary": "string (optional ARN)",
  "Tags": [
    {"Key": "string", "Value": "string"}
  ]
}
💻

Example

This example creates an IAM role named MyExampleRole that allows EC2 instances to assume it and grants permission to read from S3 buckets.

bash
aws iam create-role \
  --role-name MyExampleRole \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {"Service": "ec2.amazonaws.com"},
        "Action": "sts:AssumeRole"
      }
    ]
  }'

aws iam attach-role-policy \
  --role-name MyExampleRole \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Output
Role created with ARN: arn:aws:iam::123456789012:role/MyExampleRole Policy AmazonS3ReadOnlyAccess attached to role MyExampleRole
⚠️

Common Pitfalls

  • Incorrect trust policy: Forgetting to specify the correct Principal will prevent entities from assuming the role.
  • Missing permissions: Not attaching permission policies means the role has no access rights.
  • Using wildcard permissions: Overly broad permissions can cause security risks.
  • Not specifying session duration: Can lead to unexpected session timeouts.
json
Wrong trust policy example:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789012:user/SomeUser"},
      "Action": "sts:AssumeRole"
    }
  ]
}

Right trust policy example for EC2:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"Service": "ec2.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}
📊

Quick Reference

Key points to remember when creating IAM roles:

  • AssumeRolePolicyDocument defines who can use the role.
  • Attach permission policies to grant access rights.
  • Use AWS CLI commands create-role and attach-role-policy.
  • Set MaxSessionDuration to control session length.
  • Tag roles for easier management.

Key Takeaways

Define a trust policy to specify who can assume the IAM role.
Attach permission policies to grant the role access to AWS resources.
Use AWS CLI or console to create the role and attach policies.
Avoid overly broad permissions to keep your environment secure.
Test the role by assuming it from the trusted entity.

Related by keyword

How to Configure AWS CLI: Step-by-Step GuideGetting StartedHow to Create AWS Account: Step-by-Step GuideGetting StartedHow to Install AWS CLI: Step-by-Step GuideGetting StartedHow to Configure Auto Scaling in AWS: Step-by-Step GuideEC2How to Create a Snapshot in AWS: Step-by-Step GuideEC2

Up next

AWS Shared Responsibility Model: What It Is and How It WorksWhat is AWS Used For: Key Uses and ExamplesALB vs NLB vs CLB: Key Differences and When to Use EachEBS vs Instance Store in AWS: Key Differences and Usage Guide

More in IAM

How to Attach a Policy to an AWS Role: Simple StepsHow to Attach a Policy to a User in AWS IAMHow to Create Custom IAM Policy in AWS: Simple GuideHow to Create IAM Group in AWS: Step-by-Step Guide