Overview
- The access control / permission management service for all AWS services
Concepts
- Root user
- The account owner, a user with god-like (unlimited) access to all resources in this account
- IAM user
- A user created by root user or other users with permissions, whose access can be limited
- Role
- An IAM user without permanent credentials
- To act as this user one must acquire a temporary token from IAM service, a process called “assuming a role”
- Used mostly to grant permissions to AWS services so they can talk to each other
- Can also be used to grant temporary access to third party entities (non-AWS users)
- Policy
- A set of rules that allows / denies access to certain AWS services
- Can be attached to multiple users / roles
Assuming a Role
- User creates a role (
RoleA
), select a service that can assume this role - User creates a resource in the service, e.g. launching an EC2 instance, a RDS cluster, etc. with
RoleA
as the linked role- The service implicitly checks whether the user has correct
iam::PassRole
permission - If the user has access, then the resource is launched with
RoleA
information embedded
- The service implicitly checks whether the user has correct
- When the service needs the accesses provided by RoleA, it calls
sts::AssumeRole
to get a temporary token and use that token to act on behalf ofRoleA
, thus get all accesses ofRoleA
Important takeaways:
- There is no
iam::PassRole
API, it is a permission / contract that all AWS services will obey - Any AWS resource requires a role to be attached during creation will check
iam::PassRole
permission of the user to see whether this user has the permission to attach a given role - This prevents a user to attach a role with unlimited access thus bypass its own access limitations
sts::AssumeRole
permission is usually open so the service can assume any role it is attached