![Cover image for [AWS Experiment] 1 - Using STS Assume Role](https://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/owqd5c5vu9gvca2z4ykm.png)
AWS Link
What is AssumeRole and When to use it??
AssumeRole Returns a set of temporary security credentials
These temporary credentials consist of an access key ID, a secret access key, and a security token.
You may want to use AssumeRole to access AWS resources that you might not normally have access to.
Simulation
A boss is trying to give a IAMReadOnlyAccess to interns temporarily. Currently interns' IAM accounts don't have any permission to perform.
Steps
The boss needs to create a role that has
IAMReadOnlyAccesspermission (in this post, I'll name itForInterns_IAMReadOnlyAccess)Then edit Trust Relationship In this step, it is important to make sure and configure that the role has all interns' IAM arns as trust relationships.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::185197443529:user/test-intern-01", "arn:aws:iam::185197443529:user/test-intern-02" ] }, "Action": "sts:AssumeRole", "Condition": {} } ] } Give the role's arn to the interns.
Now interns can do:
aws configure # Type intern's credentials # ... sudo vim ~/.aws/config # Copy and paste following # This will create a profile 'role-attached-intern' # [profile role-attached-intern] # role_arn= <ROLE_ARN_THAT_BOSS_GAVE> # source_profile=default aws iam list-users # Won't work aws iam list-users --profile role-attached-intern # This will work 
Top comments (0)