Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Roles) IAM Roles Creating IAM Roles Creating a Role to Delegate Permissions to an IAM User
You can use IAM roles to delegate access to your AWS resources. With IAM roles,
you can establish trust relationships between your trusting account and other
AWS trusted accounts. The trusting account owns the resource to be accessed
and the trusted account contains the users who need access to the resource.
After you create the trust relationship, an IAM user or an application from the
trusted account can use the AWS Security Token Service (AWS STS) AssumeRole
API action to obtain temporary security credentials that enable access to AWS
resources in your account. The accounts can both be controlled by you, or the
account with the users can be controlled by a third party. If the other account
with the users is in an AWS account that you do not control, then you can use the
externalID attribute and a unique identifier supplied by the third-party account
to help ensure that access occurs only in the correct contexts. For more
information, see How to Use an External ID When Granting Access to Your AWS
Resources to a Third Party.
For information about how to use roles to delegate permissions, see Roles Terms
and Concepts.
Topics
You can use the AWS Management Console to create a role that an IAM user can
switch to.
3. For Role name, type a role name to help identify the purpose of this role.
Role names must be unique within your AWS account. After you enter the
name, click Next Step.
Important
4. On the Select Role Type page, select the Role for Cross-Account Access
section, and then select the type of role that you want to create:
Select Provide access between AWS accounts you own if you are the
administrator of both the user account and the resource account, or
both accounts belong to the same company. This is also the option to
select when the users, role, and resource to be accessed are all in the
same account.
Select Allows IAM users from a 3rd party AWS account to access
this account if you are the administrator of the account that owns the
resource and you want to grant permissions to users from an account
that you do not control. This option requires you to specify an external
ID (which the third party must provide to you) to provide additional
control over the circumstances in which the third party can use the
role to access your resources. For more information, see How to Use
an External ID When Granting Access to Your AWS Resources to a Third
Party.
Important
Selecting this option enables access to the role only
through the AWS CLI, Tools for Windows PowerShell, or the
AWS API. This is because you cannot use the AWS console
to switch to a role that has an externalID condition in its
trust policy. However, you can create this kind of access
programmatically by writing a script or an application using
the relevant SDK. For more information and a sample
script, see How to Enable Cross-Account Access to the AWS
Management Console in the AWS Security Blog.
5. On the next page, specify the AWS account ID to which you want to grant
access to your resources.
6. If you selected Allows IAM users from a 3rd party AWS account to access
this account on the Select Role Type page, type the external ID provided
by the administrator of the third party account. This automatically adds a
condition to the trust policy that allows the user to assume the role only if
the request includes the correct sts:ExternalID. For more information,
see How to Use an External ID When Granting Access to Your AWS
Resources to a Third Party.
7. If you want to restrict the role to users who sign in by using multi-factor
authentication (MFA) device, select the Require MFA option. This adds a
condition to the role's trust policy that checks for an MFA sign-in. A user who
wants to assume the role must sign in with a temporary one-time password
from a configured MFA device. Users without MFA authentication cannot
assume the role. For more information about MFA, see Using Multi-Factor
Authentication (MFA) in AWS
The permissions that you specify are available to any entity that uses the
role. By default, a role has no permissions.
Select the box next to the policy that assigns the permissions that you want
the users to have, and then click Attach Policy. You can choose to select no
policies at this time, create the policies later, and then attach them to the
role.
10. Click Next Step to review the role settings. Note the link provided for you to
give to users who can use the role. When the user clicks this link, the user is
taken directly to the Switch Role page with the Account ID and Role Name
already filled in. The user is asked for credentials if he or she is not already
signed in. The user can optionally set a Display Name and can select a
Display Color. When the user clicks Switch Role, the user immediately
begins operating with the new permissions.
Note
For later easy selection, the IAM console caches the last five
roles that you use. If your users need more than five roles,
consider the following solutions for easy access:
Important
After you create the role and grant it permissions to perform AWS tasks or access
AWS resources, the user can switch to the role. For more information, see
Switching to a Role (AWS Management Console).
Creating a role from the AWS CLI involves multiple steps. When you use the
console to create a role, many of the steps are done for you, but with the AWS CLI
you must explicitly perform each step yourself. You must create the policy and
assign a permissions policy to the role.
To create a role for cross-account access (AWS CLI)
The following example shows both steps in a simple environment. The example
assumes that you are using a client computer running Windows, and have
already configured your command line interface with your account credentials
and region. For more information, see Configuring the AWS Command Line
Interface.
The sample trust policy referenced in the first command contains the following
JSON code to enable users in the account 123456789012 to assume the role , but
only if the user provides MFA authentication. For more information about MFA,
see Using Multi-Factor Authentication (MFA) in AWS.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:root" },
"Action": "sts:AssumeRole",
"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
}
}
Important
If your Principal element contains an ARN that points to a specific
IAM role or user, then that ARN is transformed to a unique principal
ID when the policy is saved. This helps mitigate the risk of someone
escalating their privileges by removing and recreating the role or user.
You don't normally see this ID in the console, because there is also a
reverse transformation back to the ARN when the trust policy is
displayed. However, if you delete the role or user, then the
relationship is broken. The policy no longer applies, even if you
recreate the user or role because it does not match the principal ID
stored in the trust policy. When this happens, the principal ID shows
up in the console because AWS can no longer map it back to an ARN.
The end result is that if you delete and recreate a user or role
referenced in a trust policy's Principal element, you must edit the
role to replace the ARN. It will get transformed into the new principal
ID when you save the policy.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
# Create the role and attach the trust policy that allows users in an account to sw
aws iam create-role --role-name Test-UserAccess-Role --assume-role-policy-document
# Attach the permissions policy (in this example a managed policy) to the role to s
aws iam attach-role-policy --role-name Test-UserAccess-Role --policy-arn arn:aws:ia
Important
Remember that this is only the first half of the configuration required.
You must also enable individual users in the trusted account with
permissions to switch to the role. For more information about this
step, see Granting a User Permissions to Switch Roles.
After you create the role and grant it permissions to perform AWS tasks or access
AWS resources, the user can switch to the role. For more information, see
Switching to an IAM Role (AWS Command Line Interface).
Creating a role using the Tools for Windows PowerShell involves multiple steps.
When you use the console to create a role, many of the steps are done for you,
but with the Windows PowerShell cmdlets you must explicitly perform each step
yourself. You must create the policy, and assign an access policy to the role.
The following example shows both steps in a simple environment. The example
assumes that you have already configured your Tools for Windows PowerShell
with your account credentials and region. For more information, see Using AWS
Credentials in the AWS Tools for Windows PowerShell User Guide.
The sample trust policy file referenced in the first command contains the
following JSON code to enable users in the account 123456789012 to assume the
role, but only if the user provides MFA authentication. For more information
about MFA, see Using Multi-Factor Authentication (MFA) in AWS.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:root" },
"Action": "sts:AssumeRole",
"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
}
}
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
# Create the role and attach the trust policy that allows users in an account to sw
New-IAMRole -RoleName Test-UserAccess-Role -AssumeRolePolicyDocument (Get-Content -
# Attach the permissions policy (in this example a managed policy) to the role to s
Register-IAMRolePolicy -RoleName Test-UserAccess-Role --policy-arn arn:aws:iam::123
Important
Remember that this is only the first half of the configuration required.
You must also enable individual users in the trusted account with
permissions to switch to the role. For more information about this
step, see Granting a User Permissions to Switch Roles.
After you create the role and grant it permissions to perform AWS tasks or access
AWS resources, the user can switch to the role. For more information, see
Switching to an IAM Role (Tools for Windows PowerShell).
You can use API calls to create a role that an IAM user can switch to.
Important
Remember that this is only the first half of the configuration required.
You must also enable individual users in the trusted account with
permissions to switch to the role. For more information about this
step, see Granting a User Permissions to Switch Roles.
After you create the role and grant it permissions to perform AWS tasks or access
AWS resources, the user can switch to the role. For more information, see
Switching to an IAM Role (API).
For more information about MFA, see Using Multi-Factor Authentication (MFA) in
AWS.
Terms of Use | 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved.