Sunday, June 25, 2017

AWS : IAM : Roles



What is a Role?
     Set of Permissions
     Permissions are assigned to roles, not users.
     Can be assumed by users, web services ( EC2 instance need to access S3 ) or federated users ( active directory accounts , bamboo logins , FB or gmail or even other amazon accounts )

Benefits of Role ?
     No need to create permanent credentials
     Provide temp credentials for granting access to applications and services. ( i.e. role will exist and users will come in and go out of it … as and when needed ) A key with a limited life time will be provided. Within that lifetime you will have to go back and get an update key.
     Provides basis of cross account access.
      Can give roles to consultants ( to maintain system) they may give periodically.



Steps to create a role
  1. One : Name : Maximum 64 characters. Use alphanumeric and '+=,.@-_' characters
  2. Two : Choose role type
    1. Service Roles
      1. i.    One AWS service to another : example … EC2 to S3
    2. Cross Account Access Role
      1. Provide access between AWS accounts you own : Allows IAM users from one of your other AWS accounts to access this account.
        • Just Tell two things : Account ID ( 12 digit )
        • Check box require MFA
      1. Provide access between your AWS account and a 3rd party AWS account : Allows IAM users from a 3rd party AWS account to access this account and enforces use of External ID.
        • Just Tell three things : Account ID ( 12 digit )
        • Check box require MFA
        • External Id
    3. Identity Provider Role
      1. Grant access to web identity providers : Allow users from Amazon Cognito, Login with Amazon, Facebook, Google, or an OpenID Connect provider to access this AWS account.
        • Type : Amazon Cognito / Google / FB
        • Identity Pool ID
        • You can also create a “Identity Provider” in AWS
      2. Grant Web Single Sign-On (WebSSO) access to SAML providers : Allow users from a SAML provider to access this AWS account using the AWS Management Console.
        • Create and choose a SAML provider
      3. Grant API access to SAML providers : Allow users from a SAML provider to access this AWS account using the AWS CLI, SDKs, or API.



Note : Any application running in that EC2 , gets that role.



How to assign Role to an EC2 instance ?
This is the lil tricky part … you can't assign role to existing EC2 instance, you need to create a new EC2 instance and assign role to it.




Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)