Implementing assume role

  1. While in an organization which have multiple AWS accounts, assume role could be used as a single sign-on. It is very inconvenient as well as very hard to manage multiple users from multiple AWS account. Assume role is preferred in these scenarios.
  2. Assume roles more secure than IAM users.

Overview

Configuration in account A

1. Create a assume-role with associated policies.

1.1 While creating role, select the trusted entity as another AWS account. and provide account ID of account where IAM users or any other applications lie. External ID is preferred when a third party assume this role. In our case, IAM users are only using using this assume role, so is not required. If you want additional security enable Require MFA, but for the sake of simplicity, we are skipping this as well.

Configurations on Account B

  1. Login to IAM console.
  2. Setup IAM users and groups. It is always a good practice to create groups and attach permissions to group rather than assigning permissions on individual users. We have setup a group grp_s3_admin and are assigning permissions for the users on this group to assume assumerole-s3-access role.
  3. Click on grp_s3_admin and click on inline policies. Create a custom policy as following and give an appropriate name. Click on Apply policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "< arn of the role to be assumed >"
}
]
}

Post scenarios

After assume role has been created, if additional permissions are required to the user, for instance in addition to s3 full access, the user needs to access Athena as well,

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"< arn of the assumerole-s3-access>",
"< arn of the assumerole-athena-access>"
]
}
]
}

Assuming role via AWS CLI

After assume role has been set, there are few more steps to be followed for using those resources from AWS CLI. I’m assuming here you have already installed AWS CLI and are quite familiar with it. I’m demonstrating the changes in configurations when accessing resources from different account.

  1. Open a command line tool.
  2. Configure AWS: aws configure — profile STS and enter your access key and secret keys.
  3. Edit ~/.aws/config file as:
[Profile STS] 
region = <aws-region>
output = json
[default]
role_arn = arn:aws:iam::123456789012:role/assumerole-s3-access source_profile = STS

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Suman Dhakal

Suman Dhakal

AWS certified Solutions Architect — Associate