How to Create an IAM Role with Assumed Role Permissions

Introduction:

In the world of cloud computing, security is of paramount importance. AWS Identity and Access Management (IAM) provides a powerful and flexible way to manage access to your AWS resources. One of the key features of IAM is the ability to create roles with assumed role permissions. This allows one role to assume the permissions of another, enabling delegation of access and reducing the need for sharing long-term credentials. In this blog, we will explore how to create an IAM role that can assume another role, providing a granular and secure access control mechanism.

Step 1: Understand the Concept of AssumeRole

Before diving into the implementation details, it is important to grasp the concept of AssumeRole. AssumeRole is an IAM API operation that enables an IAM entity (such as a user, group, or role) to assume the permissions of another IAM role. The role being assumed is referred to as the "target role," and the role that assumes the target role is called the "source role." The source role must have explicit permission to assume the target role.

Step 2: Create the Target Role

To begin, let's create the target role, which is the role that we want to be assumed by another role. Follow these steps:

1. Open the IAM console and navigate to the Roles section.

2. Click on "Create role."

3. Choose the appropriate trusted entity for your use case (e.g., AWS service, another AWS account, web identity, or SAML 2.0 federation).

4. Select the permissions that the target role should have. These permissions define the access level for the assumed role.

5. Configure any additional settings as needed, such as tags or role description.

6. Review and create the role.

Step 3: Create the Source Role

Now that we have the target role, we can create the source role that will assume the target role. Follow these steps:

1. Open the IAM console and navigate to the Roles section.

2. Click on "Create role."

3. Choose the appropriate trusted entity, which in this case would be the AWS service "iam.amazonaws.com."

4. Select the permissions that the source role should have. These permissions determine what the source role can do before assuming the target role.

5. In the "Permissions" tab, scroll down to the "Trust relationships" section and click on "Edit trust relationship."

6. Define the trust policy document to allow the source role to assume the target role. Here's an example policy:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::TARGET_ACCOUNT_ID:role/TARGET_ROLE_NAME"

      },

      "Action": "sts:AssumeRole"

    }

  ]

}

Make sure to replace `TARGET_ACCOUNT_ID` and `TARGET_ROLE_NAME` with the appropriate values for your target role.

7. Save the trust policy document and review the role configuration.

8. Create the role.

Step 4: Testing the Assumed Role

Now that both the target and source roles are created, it's time to test the assumed role functionality. Here's how you can test it:

1. Switch to the AWS Management Console using the source role credentials.

2. Use the AWS CLI or SDK to assume the target role using the AssumeRole API.

Verify that the AWS CLI commands are invoked and then verify IAM user access

Run the aws sts get-caller-identity command as follows:

aws sts get-caller-identity

The aws sts get-caller-identity command outputs three pieces of information including the ARN. The output shows something similar to arn:aws:iam::123456789012:user/Bob to verify that the AWS CLI commands are invoked as Bob.

3. Verify that the assumed role is working as expected by performing the desired actions, such as accessing specific AWS resources or executing API operations.

Conclusion:

By creating an IAM role with assumed role permissions, you can establish a secure and flexible access control mechanism within your AWS environment.