Using an IAM role assumed as an IAM user - AWS SDKs and Tools

Using an IAM role assumed as an IAM user

This example shows how to configure the shared AWS config and credentials files to support logging in to an AWS SDK or developer tool using an IAM role. The SDK or tool assumes the role using the credentials of a separate IAM user.

Scenario description

This scenario requires that you have two entities created in IAM:

  • An IAM user, that in this example we call UserAlpha. This user has IAM policy permissions that enable it to perform only the sts:AssumeRole operation. The following JSON policy document describes this user in IAM policy language. To better understand the components of IAM policy language, see IAM JSON policy elements reference in the IAM User Guide. However, when getting started, it is far more common to simply use the AWS Management Console to graphically create users, roles, etc. rather than writing them manually.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }
  • An IAM role, that in this example we call RoleBeta. This role has a trust policy that enables all users in the account to assume the role.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::231179739868:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

    It also has IAM permission policies that enable it to perform any task in Amazon S3. When getting started, it is far more common to simply use the AWS Management Console and assign AWS managed policies.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

How to configure the profile

The following example shared AWS config file and shared AWS credentials file files show how you can configure SDK or AWS developer tool access using RoleBeta.

Contents of shared config file

[profile UserAlpha] region = us-west-2 output = json [profile RoleBeta] source_profile = UserAlpha role_arn = arn:aws:iam::123456789012:role/RoleBeta

Contents of shared credentials file

[UserAlpha] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

How to use the profile

As an example, you can run the following AWS CLI command to list the Amazon S3 buckets available in the account. The AWS CLI sees that RoleBeta profile references the source_profile UserAlpha. It looks up UserAlpha's access key and secret key, and uses them to call the sts:AssumeRole operation on the ARN of RoleBeta. That operation returns short-term credentials for RoleBeta that the AWS CLI uses to call the s3:ListBuckets operation.

$ aws s3api list-buckets --profile RoleBeta { "Buckets": [ { "Name": "my-first-bucket", "CreationDate": "2018-08-31T07:46:02+00:00" }, { "Name": "my-second-bucket", "CreationDate": "2019-09-17T19:17:31+00:00" }, { "Name": "my-third-bucket", "CreationDate": "2018-06-12T23:18:08+00:00" } ], "Owner": { ...truncated... } }