DEV Community

Cover image for [AWS Experiment] 1 - Using STS Assume Role
Sunbeom Kweon (Ben)
Sunbeom Kweon (Ben)

Posted on • Edited on

[AWS Experiment] 1 - Using STS Assume Role

AWS Link

What is AssumeRole and When to use it??

  • AssumeRole Returns a set of temporary security credentials

  • These temporary credentials consist of an access key ID, a secret access key, and a security token.

  • You may want to use AssumeRole to access AWS resources that you might not normally have access to.

Simulation

A boss is trying to give a IAMReadOnlyAccess to interns temporarily. Currently interns' IAM accounts don't have any permission to perform.

Steps

  1. The boss needs to create a role that has IAMReadOnlyAccess permission (in this post, I'll name it ForInterns_IAMReadOnlyAccess)

  2. Then edit Trust Relationship In this step, it is important to make sure and configure that the role has all interns' IAM arns as trust relationships.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::185197443529:user/test-intern-01",
          "arn:aws:iam::185197443529:user/test-intern-02"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode
  1. Give the role's arn to the interns.

  2. Now interns can do:

aws configure
# Type intern's credentials
# ...
Enter fullscreen mode Exit fullscreen mode
sudo vim ~/.aws/config
# Copy and paste following
# This will create a profile 'role-attached-intern'
# [profile role-attached-intern]
# role_arn= <ROLE_ARN_THAT_BOSS_GAVE>
# source_profile=default 
Enter fullscreen mode Exit fullscreen mode
aws iam list-users # Won't work
aws iam list-users --profile role-attached-intern # This will work
Enter fullscreen mode Exit fullscreen mode

Conclusion

Top comments (0)