Creating a Role to Delegate Permissions to an IAM User

We can use IAM roles to delegate access to our AWS resources.

With IAM roles, we can establish trust relationships between our trusting account and other AWS trusted accounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource.

We'll be focused on how to use a role to delegate access to resources that are in different AWS accounts that we own (Production and Development).

After we create the trust relationship, an IAM user or an application from the trusted account can use the AWS Security Token Service (AWS STS) AssumeRole API action. This action provides temporary security credentials that enable access to AWS resources in our account.

The accounts can both be controlled by us, or the account with the users can be controlled by a third party. If the other account with the users is in an AWS account that we do not control, then we can use the externalID attribute and a unique identifier supplied by the third-party account. This helps ensure that access occurs only in the correct contexts.

picture source: Delegate Access Across AWS Accounts Using IAM Roles

On IAM console, choose Roles and then choose Create new role. On the Select role type page, expand the Role for cross-account access section, and then choose the type of role that we want to create:

1. Choose Select for Provide access between AWS accounts we own if we are the administrator of both the user account and the resource account, or both accounts belong to the same company. This is also the option to choose when the users, role, and resource to be accessed are all in the same account.

2. Choose Select for Allows IAM users from a 3rd party AWS account to access this account if we are the administrator of the account that owns the resource and we want to grant permissions to users from an account that we do not control. This option requires us to specify an external ID (which the third party must provide to us). With this option, we can exercise additional control over the circumstances in which the third party can use the role to access our resources.

3. On the next page, specify the AWS account ID to which we want to grant access to our resources.

   The administrator of the specified trusted account can grant permission to assume this role to any IAM user in the trusted account. To do this, the administrator attaches a policy to the user or a group that grants permission for the sts:AssumeRole action and that specifies the role's ARN as the Resource.

4. If we chose Allows IAM users from a 3rd party AWS account to access this account on the Select role type page, type the external ID provided by the administrator of the third party account. This automatically adds a condition to the trust policy that allows the user to assume the role only if the request includes the correct sts:ExternalID.

5. If we want to restrict the role to users who sign in by using multi-factor authentication (MFA) device, select the Require MFA option. This adds a condition to the role's trust policy that checks for an MFA sign-in. A user who wants to assume the role must sign in with a temporary one-time password from a configured MFA device. Users without MFA authentication cannot assume the role.

6. Choose Next Step.

7. On the Attach policy page, choose one or more permissions policies to attach to the role. Choose policies that specify what actions can be done on specific resources (similar to setting permissions for IAM groups).

   The permissions that we specify are available to any entity that uses the role. By default, a role has no permissions.

   Select the box next to the policy that assigns the permissions that we want the users to have, and then choose Attach policy. We can choose to select no policies at this time, create the policies later, and then attach them to the role.

8. For Role name, type a suffix to add to the service-linked role default name. This suffix helps us identify the purpose of this role. Role names must be unique within our AWS account. They are not distinguished by case. For example, we cannot create roles named both PRODROLE and prodrole. Because various entities might reference the role, we cannot edit the name of the role after it has been created.

9. Review the role settings. Note the link provided for we to give to users who can use the role. When the user chooses this link, the user is taken directly to the Switch Role page with the Account ID and Role Name already filled in. The user is asked for credentials if he or she is not already signed in. The user can optionally set a Display Name and can select a Display Color. When the user chooses Switch Role, the user immediately begins operating with the new permissions.

10. Choose Create role to complete the creation of the role.

    Remember that this is only the first half of the configuration required. We must also give individual users in the trusted account permissions to switch to the role.

11. After we create the role and grant it permissions to perform AWS tasks or access AWS resources, the user can switch to the role.

Ref: Creating a Role to Delegate Permissions to an IAM User

We'll see how to use a role to delegate access to resources that are in different AWS accounts that we own (Production and Development). We share resources in one account with users in a different account. By setting up cross-account access in this way, we don't need to create individual IAM users in each account. In addition, users don't have to sign out of one account and sign into another in order to access resources that are in different AWS accounts. After configuring the role, we see how to use the role from the AWS Management Console, the AWS CLI, and the API.

The Production account is where live applications are managed, and the Development account is a sandbox where developers and testers can freely test applications. In each account, application information is stored in Amazon S3 buckets. We manage IAM users in the Development account, where yweou have two IAM groups: Developers and Testers. Users in both groups have permissions to work in the Development account and access resources there. From time to time, a developer must update the live applications in the Production account. These applications are stored in an Amazon S3 bucket called productionapp.

At the end of this tutorial, we have a role in the Production account (the trusting account) that allows users from the Development account (the trusted account) to access the productionapp bucket in the Production account. Developers can use the role in the AWS Management Console to access the productionapp bucket in the Production account. They can also access the bucket by using API calls that are authenticated by temporary credentials provided by the role. Similar attempts by a Tester to use the role fail.

AWS (Amazon Web Services)

1. AWS : EKS (Elastic Container Service for Kubernetes)
2. AWS : Creating a snapshot (cloning an image)
3. AWS : Attaching Amazon EBS volume to an instance
4. AWS : Adding swap space to an attached volume via mkswap and swapon
5. AWS : Creating an EC2 instance and attaching Amazon EBS volume to the instance using Python boto module with User data
6. AWS : Creating an instance to a new region by copying an AMI
7. AWS : S3 (Simple Storage Service) 1
8. AWS : S3 (Simple Storage Service) 2 - Creating and Deleting a Bucket
9. AWS : S3 (Simple Storage Service) 3 - Bucket Versioning
10. AWS : S3 (Simple Storage Service) 4 - Uploading a large file
11. AWS : S3 (Simple Storage Service) 5 - Uploading folders/files recursively
12. AWS : S3 (Simple Storage Service) 6 - Bucket Policy for File/Folder View/Download
13. AWS : S3 (Simple Storage Service) 7 - How to Copy or Move Objects from one region to another
14. AWS : S3 (Simple Storage Service) 8 - Archiving S3 Data to Glacier
15. AWS : Creating a CloudFront distribution with an Amazon S3 origin
16. AWS : Creating VPC with CloudFormation
17. AWS : WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
18. AWS : CloudWatch & Logs with Lambda Function / S3
19. AWS : Lambda Serverless Computing with EC2, CloudWatch Alarm, SNS
20. AWS : Lambda and SNS - cross account
21. AWS : CLI (Command Line Interface)
22. AWS : CLI (ECS with ALB & autoscaling)
23. AWS : ECS with cloudformation and json task definition
24. AWS Application Load Balancer (ALB) and ECS with Flask app
25. AWS : Load Balancing with HAProxy (High Availability Proxy)
26. AWS : VirtualBox on EC2
27. AWS : NTP setup on EC2
28. AWS: jq with AWS
29. AWS & OpenSSL : Creating / Installing a Server SSL Certificate
30. AWS : OpenVPN Access Server 2 Install
31. AWS : VPC (Virtual Private Cloud) 1 - netmask, subnets, default gateway, and CIDR
32. AWS : VPC (Virtual Private Cloud) 2 - VPC Wizard
33. AWS : VPC (Virtual Private Cloud) 3 - VPC Wizard with NAT
34. DevOps / Sys Admin Q & A (VI) - AWS VPC setup (public/private subnets with NAT)
35. AWS - OpenVPN Protocols : PPTP, L2TP/IPsec, and OpenVPN
36. AWS : Autoscaling group (ASG)
37. AWS : Setting up Autoscaling Alarms and Notifications via CLI and Cloudformation
38. AWS : Adding a SSH User Account on Linux Instance
39. AWS : Windows Servers - Remote Desktop Connections using RDP
40. AWS : Scheduled stopping and starting an instance - python & cron
41. AWS : Detecting stopped instance and sending an alert email using Mandrill smtp
42. AWS : Elastic Beanstalk with NodeJS
43. AWS : Elastic Beanstalk Inplace/Rolling Blue/Green Deploy
44. AWS : Identity and Access Management (IAM) Roles for Amazon EC2
45. AWS : Identity and Access Management (IAM) Policies, sts AssumeRole, and delegate access across AWS accounts
46. AWS : Identity and Access Management (IAM) sts assume role via aws cli2
47. AWS : Creating IAM Roles and associating them with EC2 Instances in CloudFormation
48. AWS Identity and Access Management (IAM) Roles, SSO(Single Sign On), SAML(Security Assertion Markup Language), IdP(identity provider), STS(Security Token Service), and ADFS(Active Directory Federation Services)
49. AWS : Amazon Route 53
50. AWS : Amazon Route 53 - DNS (Domain Name Server) setup
51. AWS : Amazon Route 53 - subdomain setup and virtual host on Nginx
52. AWS Amazon Route 53 : Private Hosted Zone
53. AWS : SNS (Simple Notification Service) example with ELB and CloudWatch
54. AWS : Lambda with AWS CloudTrail
55. AWS : SQS (Simple Queue Service) with NodeJS and AWS SDK
56. AWS : Redshift data warehouse
57. AWS : CloudFormation
58. AWS : CloudFormation Bootstrap UserData/Metadata
59. AWS : CloudFormation - Creating an ASG with rolling update
60. AWS : Cloudformation Cross-stack reference
61. AWS : OpsWorks
62. AWS : Network Load Balancer (NLB) with Autoscaling group (ASG)
63. AWS CodeDeploy : Deploy an Application from GitHub
64. AWS EC2 Container Service (ECS)
65. AWS EC2 Container Service (ECS) II
66. AWS Hello World Lambda Function
67. AWS Lambda Function Q & A
68. AWS Node.js Lambda Function & API Gateway
69. AWS API Gateway endpoint invoking Lambda function
70. AWS API Gateway invoking Lambda function with Terraform
71. AWS API Gateway invoking Lambda function with Terraform - Lambda Container
72. Amazon Kinesis Streams
73. AWS: Kinesis Data Firehose with Lambda and ElasticSearch
74. Amazon DynamoDB
75. Amazon DynamoDB with Lambda and CloudWatch
76. Loading DynamoDB stream to AWS Elasticsearch service with Lambda
77. Amazon ML (Machine Learning)
78. Simple Systems Manager (SSM)
79. AWS : RDS Connecting to a DB Instance Running the SQL Server Database Engine
80. AWS : RDS Importing and Exporting SQL Server Data
81. AWS : RDS PostgreSQL & pgAdmin III
82. AWS : RDS PostgreSQL 2 - Creating/Deleting a Table
83. AWS : MySQL Replication : Master-slave
84. AWS : MySQL backup & restore
85. AWS RDS : Cross-Region Read Replicas for MySQL and Snapshots for PostgreSQL
86. AWS : Restoring Postgres on EC2 instance from S3 backup
87. AWS : Q & A
88. AWS : Security
89. AWS : Security groups vs. network ACLs
90. AWS : Scaling-Up
91. AWS : Networking
92. AWS : Single Sign-on (SSO) with Okta
93. AWS : JIT (Just-in-Time) with Okta