How to Assume IAM Role in AWS and Use It
AWS IAM Assume Role is a mechanism that enables a user or service to assume a specific IAM role temporarily. This allows the user or service to acquire temporary security credentials, including access keys, session tokens, and permissions, to perform actions within AWS resources. The assumed role can have different permissions and policies than the original user or service, ensuring a granular level of access control and reducing the need for sharing long-term credentials.
In this post, we’ll create a new IAM user without any permissions granted, and a new role with some permissions, while configuring the role assumption. Then we’ll demonstrate the use cases of assumed role with Github Actions and Terraform.
Assume Role
First things first, let’s create a new IAM user.
- Go to the AWS management console -> IAM page -> Users tab, click on the “Add users” button.
- Enter a user name
spa-deployment
(for example), select the checkbox “Access key - Programmatic access” because we’re only going to provide programmatic access at this point in time. - Do not provide any permissions, and create the IAM user, which can not do anything theoritically.
- Go back to the Users tab, click on the new user we just created, and copy the User ARN to store it in a temporary place.
- Create access credentials(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) for the user for later use.
Next, create a new IAM role.
- Go to IAM page -> Roles tab, click on the “Create role” button.
- Select trusted entity type “Custom trust policy”, and use below JSON for the policy. Use the new IAM user’s ARN in the policy. The policy will allow the IAM user to assume this role.
- Add permissions
AmazonS3FullAccess
,CloudFrontFullAccess
to the role. - Enter the role name
S3-CloudFront-Access
(for example). - Create the role and copy the Role ARN as we did when we create a user.
Now we have a user and a role to assume. We can verify them using AWS CLI.
Configure the AWS CLI with the new IAM user credentials and run the following command:
|
|
It will return the user’s identity.
|
|
It will result in an Access Denied
error, because the user doesn’t have a permission to list S3 buckets.
To assume the role, use the following command:
|
|
It will return “AccessKeyId”, “SecretAccessKey”, “SessionToken”, and more. Export those values as AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, and AWS_SESSION_TOKEN
like so:
Now we can rerun the previous commands:
These commands will list all the S3 buckets, indicating that the user now has the permissions granted by the assumed role.
Additionally, when attaching a “Trust policy” to a role, we can include an “External ID” requirement to ensure that the role can only be assumed if the 3rd party provides the correct external ID. Here’s an example policy for the use case:
Usage in Github Actions
Let’s use the user and assume role functionality in GitHub Actions. It’s a straightforward process.
|
|
ROLE_TO_ASSUME
is the Role ARN.
Adding above step to our Github actions workflow, we will have the necessary permissions to perform AWS CLI operations within the scope of the assumed role. In our example case, we can upload files to S3 buckets, invalidate CloudFront caches, and more.
Usage in Terraform
|
|
Above Terraform code demonstrates how we can assume role in the backend configuration and provider configuration, respectively. Very straightforward, isn’t it?
That’s pretty much! We have learned how to assume a role in AWS, how to use it with Github Actions and Terraform.
Happy coding!