How to assign IAM role to users or groups

Asked 3/1, 2018 at 21:46 Answered 28/2 at 11:59

Solved amazon-web-services amazon-ec2 permissions amazon-iam roles

I know how to create user, group and role in AWS IAM. I can also attach policies to each of them. For example, after selecting a group, you can go to permissions tab, and attach some policies to it.

However, I don't know how to attach a role to a user or group.

I looked on documentation and forums, but did not find anything, and appreciate your help.

Cranmer answered 3/1, 2018 at 21:46 Comment(1)

What is your need for attaching a role to a User? Can you explain your use-case further? (Feel free to Edit your question to provide more information.) – Reticle 4/1, 2018 at 0:38

You can't assign IAM role to IAM user or group, see the notes from this AWS official doc :- https://aws.amazon.com/iam/faqs/

Q: What are IAM roles and how do they work?

AWS Identity and Access Management (IAM) roles provide a way to access AWS by relying on temporary security credentials. Each role has a set of permissions for making AWS service requests, and a role is not associated with a specific user or group. Instead, trusted entities such as identity providers or AWS services assume roles. For more information, see IAM roles.

It looks like it's not straight forward to attach IAM role to IAM user, follow https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html on how to do it.

In the past, I've created IAM role for my ec2-instance and when launching that instance, I can choose that IAM role and my ec2-instance will have all the permissions set in that IAM role, likewise you can assign a role to other ec2-services, this is the most used scenario of IAM role.

Picaroon answered 4/1, 2018 at 1:19 Comment(0)

To assign IAM role to an IAM user, do the following:

Open the IAM Dashboard
Select the role that you want to assign to an IAM user
Edit the trust policy
add the ARN of the IAM user in the Principal's section

That's it. Now test it out using the Switch Role feature.

Follow the same procedure to assign IAM role to an IAM group.

Leyba answered 11/9, 2019 at 16:8 Comment(0)

I'd be careful about modifying trust relationships - if they're poorly configured they can lead to your account or resource being compromised.

When granting explicit access to a user/group on the same account you should not be modifying the Trust Relationship of the role. To clarify further: The roles should have a trust relationship of something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<YOUR ACC ID>:root"
      },
      "Action": "sts:AssumeRole",
    }
  ]
}

What this essentially means is I'm delegating permissions to this role to the account listed in "arn:aws:iam::<YOUR ACC ID>:root" -- its now up to the IAM operator of that account to grant access to this role using a policy such as this one:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sts:AssumeRole"
      ],
      "Effect": "Allow",
      "Resource": "<role arn>"
    }
  ]
}

This policy can be attached to a user or group and that user or the users in the group will be able to assume the role that has the trust relationship above.

A User can be placed in a group to gain the permissions associated with the group or can assume a role to enter a session where permissions are now that of the roles. Users have an access key and secret access key.
Groups are only used to provide permissions to users, i.e a user is placed in a group.
Roles are a temporary set of permission, i.e a user assumes a role and is granted temporary credentials for the life of the session. Role sessions will have an access key, secret access key, and a session token.

Gellman answered 13/11, 2019 at 22:29 Comment(2)

Am I wrong to think that once the user has the sts:AssumeRole policy to the role arn, that assuming the role should be automatic/transparent to the user? Or do they have to manually specify --profile=role on aws cli commands? – Leija 14/2, 2020 at 16:55

they will be required to manually specifiy --profile=role, or, you can run aws sts assume-role --role-arn <role arn> --role-session-name <session name> to generate a temporary set of access keys. If you export these access keys as environment variables, you will not have to pass in the --profile arg as all commands you now run will be run within that session. More info @ docs.aws.amazon.com/cli/latest/userguide/… – Gellman 30/4, 2020 at 11:59

If you want to tag a particular Role to multiple users, you can try below way in Role Custom Trust Policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<YOUR ACC ID>:user/<USER1 NAME>",
                    "arn:aws:iam::<YOUR ACC ID>:user/<USER2 NAME>",
                    "arn:aws:iam::<YOUR ACC ID>:user/<USER3 NAME>"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Malacostracan answered 28/2 at 11:59 Comment(2)

Does this work when using making requests with the aws cli or sdk? :) – Hazeghi 5/3 at 20:55

I have not attempted this in the SDK, but it is working when making requests through AWS CLI. – Malacostracan 7/3 at 10:0

-2

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.

It is clearly documented here.

https://aws.amazon.com/iam/faqs/

Matrona answered 3/1, 2018 at 21:55 Comment(0)

Recommended topics

Hot tags