Using an IAM role assumed as an IAM user
This example shows how to configure the shared AWS config
and credentials
files to support logging in to an AWS
SDK or developer tool using an IAM role. The SDK or tool assumes the role using the
credentials of a separate IAM user.
Scenario description
This scenario requires that you have two entities created in IAM:
-
An IAM user, that in this example we call
UserAlpha
. This user has IAM policy permissions that enable it to perform only thests:AssumeRole
operation. The following JSON policy document describes this user in IAM policy language. To better understand the components of IAM policy language, see IAM JSON policy elements reference in the IAM User Guide. However, when getting started, it is far more common to simply use the AWS Management Console to graphically create users, roles, etc. rather than writing them manually.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }
-
An IAM role, that in this example we call
RoleBeta
. This role has a trust policy that enables all users in the account to assume the role.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::231179739868:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
It also has IAM permission policies that enable it to perform any task in Amazon S3. When getting started, it is far more common to simply use the AWS Management Console and assign AWS managed policies.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }
How to configure the profile
The following example shared AWS config
file and shared AWS credentials
file
files show how you can configure SDK or AWS developer tool access using
RoleBeta
.
Contents of shared config
file
[profile UserAlpha] region = us-west-2 output = json [profile RoleBeta] source_profile = UserAlpha role_arn = arn:aws:iam::123456789012:role/RoleBeta
Contents of shared credentials
file
[UserAlpha] aws_access_key_id = AKIAIOSFODNN7EXAMPLE aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
How to use the profile
As an example, you can run the following AWS CLI command to list the Amazon S3 buckets
available in the account. The AWS CLI sees that RoleBeta
profile references
the source_profile
UserAlpha
. It looks up UserAlpha
's access key and secret
key, and uses them to call the sts:AssumeRole
operation on the
ARN of RoleBeta
. That operation
returns short-term credentials for RoleBeta
that the AWS CLI uses to call the
s3:ListBuckets
operation.
$
aws s3api list-buckets--profile RoleBeta
{ "Buckets": [ { "Name": "my-first-bucket", "CreationDate": "2018-08-31T07:46:02+00:00" }, { "Name": "my-second-bucket", "CreationDate": "2019-09-17T19:17:31+00:00" }, { "Name": "my-third-bucket", "CreationDate": "2018-06-12T23:18:08+00:00" } ], "Owner": { ...truncated... } }