How to assign IAM role to users or groups

amazon-web-services amazon-ec2 permissions amazon-iam roles
28,643

Solution 1

You can't assign IAM role to IAM user or group, see the notes from this AWS official doc :- https://aws.amazon.com/iam/faqs/

Q: Can I add an IAM role to an IAM group?

Not at this time.

And

Q: What is an IAM role?

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.

It looks like it's not straight forward to attach IAM role to IAM user, follow https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html on how to do it.

In the past, I've created IAM role for my ec2-instance and when launching that instance, I can choose that IAM role and my ec2-instance will have all the permissions set in that IAM role, likewise you can assign a role to other ec2-services, this is the most used scenario of IAM role.

Solution 2

To assign IAM role to an IAM user, do the following:

  1. Open the IAM Dashboard
  2. Select the role that you want to assign to an IAM user
  3. Edit the trust policy
  4. add the ARN of the IAM user in the Principal's section

That's it. Now test it out using the Switch Role feature.

Follow the same procedure to assign IAM role to an IAM group.

Solution 3

I'd be careful about modifying trust relationships - if they're poorly configured they can lead to your account or resource being compromised.

When granting explicit access to a user/group on the same account you should not be modifying the Trust Relationship of the role. To clarify further: The roles should have a trust relationship of something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<YOUR ACC ID>:root"
      },
      "Action": "sts:AssumeRole",
    }
  ]
}

What this essentially means is I'm delegating permissions to this role to the account listed in "arn:aws:iam::<YOUR ACC ID>:root" -- its now up to the IAM operator of that account to grant access to this role using a policy such as this one:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sts:AssumeRole"
      ],
      "Effect": "Allow",
      "Resource": "<role arn>"
    }
  ]
}

This policy can be attached to a user or group and that user or the users in the group will be able to assume the role that has the trust relationship above.

  • A User can be placed in a group to gain the permissions associated with the group or can assume a role to enter a session where permissions are now that of the roles. Users have an access key and secret access key.
  • Groups are only used to provide permissions to users, i.e a user is placed in a group.
  • Roles are a temporary set of permission, i.e a user assumes a role and is granted temporary credentials for the life of the session. Role sessions will have an access key, secret access key, and a session token.
Share:
28,643
Alisa
Author by

Alisa

I am a PDF (Postdoctoral Fellow) in Department of Computing Science at University of Alberta and I am currently working on Social Software Engineering.

Updated on May 30, 2020

Comments

  • Alisa
    Alisa almost 4 years

    I know how to create user, group and role in AWS IAM. I can also attach policies to each of them. For example, after selecting a group, you can go to permissions tab, and attach some policies to it.

    However, I don't know how to attach a role to a user or group.

    I looked on documentation and forums, but did not find anything, and appreciate your help.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cross Account EC2 Role Access to Read S3 Bucket
AWS - Allowing user to start and stop an EC2 instance
Ansible AWS dynamic inventory: `./ec2.py --list` unauthorized
Give EC2 IAM role read access to S3 bucket
How do I generate an IAM policy for making snapshots?
Which permissions/policies for IAM role to be used with CloudWatch monitoring script
Use IAM to Allow User to Edit AWS / EC2 Security Groups?
Permission denied when accessing new EBS volume
EC2 user permissions
"storage/logs/laravel-2019-11-22.log" could not be opened: failed to open stream: Permission denied