Definition: An IAM identity that can be assumed by trusted entities to obtain a set of permissions for making AWS service requests.
Key Features
Delegation of Permissions: Allows assigning permissions to resources for users and services without using permanent credentials (e.g., user name and password). Temporary Security Credentials: Used by IAM users or AWS services assuming a role to make AWS API calls. These credentials automatically expire. Characteristics
No Permanent Credentials: Roles do not have associated credentials like passwords or access keys. Temporary Assumption: IAM users can assume a role temporarily to gain permissions for specific tasks. Role Assignment
Federated Users: Roles can be assigned to federated users who sign in using an external identity provider. Assumption Methods: Roles can be assumed via: Console: Temporarily assume roles through the AWS Management Console. Programmatically: Use AWS CLI, Tools for Windows PowerShell, or API. IAM Roles with EC2 Instances
Instance Profiles: Used for granting permissions to applications running on EC2 instances. Single Role Assignment: Only one role can be assigned to an EC2 instance at a time. Role Assignment Timing: Roles can be assigned at instance creation or any time afterwards. Credential Retrieval: Applications retrieve temporary security credentials from instance metadata. Manual Creation: Instance profiles must be created manually when using the AWS CLI or API (automatic through the console). Role Delegation
Creating an IAM Role: Involves setting up two policies: Permissions Policy: Grants the role the necessary permissions on a resource. Trust Policy: Specifies trusted accounts allowed to assume the role. Principal Specification: Wildcards (*) cannot be used as a principal. Permissions Policy for Trusted Account: A permissions policy must also be attached to the user in the trusted account.
IAM Roles
