![Cover image for [AWS Experiment] 1 - Using STS Assume Role](https://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fowqd5c5vu9gvca2z4ykm.png)
AWS Link
What is AssumeRole and When to use it??
AssumeRole Returns a set of temporary security credentials
These temporary credentials consist of an access key ID, a secret access key, and a security token.
You may want to use AssumeRole to access AWS resources that you might not normally have access to.
Simulation
A boss is trying to give a IAMReadOnlyAccess to interns temporarily. Currently interns' IAM accounts don't have any permission to perform.
Steps
The boss needs to create a role that has
IAMReadOnlyAccesspermission (in this post, I'll name itForInterns_IAMReadOnlyAccess)Then edit Trust Relationship In this step, it is important to make sure and configure that the role has all interns' IAM arns as trust relationships.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::185197443529:user/test-intern-01",
"arn:aws:iam::185197443529:user/test-intern-02"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Give the role's arn to the interns.
Now interns can do:
aws configure
# Type intern's credentials
# ...
sudo vim ~/.aws/config
# Copy and paste following
# This will create a profile 'role-attached-intern'
# [profile role-attached-intern]
# role_arn= <ROLE_ARN_THAT_BOSS_GAVE>
# source_profile=default
aws iam list-users # Won't work
aws iam list-users --profile role-attached-intern # This will work
Top comments (0)