IAM Role learning summary

IAM Role provides the flexibility to applications which can securely make API requests from role-profiled instances without manually creating and distributing AWS credentials.

From the FAQ of IAM Role, we can see the clear difference between an IAM User and IAM Role,

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

There are 2 points on the emphasis.

  1. IAM roles cannot make direct requests to AWS services
  2. IAM roles can be assumed by 3 different kinds,
    • IAM Users
    • applications
    • AWS EC2 (or ASG)

How to understand “IAM roles cannot make direct requests to AWS services

IMHO, IAM users who has the credential and associated access can direct make request to AWS service using public APIs. (e.g. awscli or boto3).
But for IAM roles, it has to fetch for the temporary credentials first based on the role. Then from there, the autobot or application could take use of the public api as normal user.


A typical use case for IAM role

  1. Create an IAM role.
  2. Define which accounts or AWS services can assume the role.
  3. Define which API actions and resources the application can use after assuming the role.
  4. Specify the role when you launch your instances.
  5. Have the application retrieve a set of temporary credentials and use them.

As illustrated below,


IAM role essential usage thinking

Its application focused no matter assumed by either users or EC2. Roles exists for the only purpose of serving a particular application’s need.
For example,
A role created specifically for EC2 related process:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": "*"
        },
    ]
}

Then this role is granted to the auto-bot agent as well as the an aws actual user so that both this user and bot can do the same ec2 instance related operations.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::xxxx:user/hans.wang",
          "arn:aws:iam::xxxx:role/application-running-agent"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}