IAM Users, Roles, and Policies
There are variety of ways to authenticate yourself with IAM Roles are one of the most commonly used. Here is a Cheatsheet to get you started
So you want to authenticate your apps to use AWS resources like S3 buckets, EC2 instances, and Glue jobs. IAM Roles helps you do that.
- Go into your AWS console, create a role, and a user
- When creating a role, select a required policy, e.g., S3FullAccess, and copy the Role ARN
- When you create a user, make a note of the User ARN,
AWS_SECRET_KEYandAWS_ACCESS_KEY
Under the user permissions tab, click add inline policy. This lets the User we created create credentials dynamically to access S3.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"<role-arn>"
]
}
]
}
In roles under trusted relationship, add the User ARN.
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "<user-arn>"
},
"Action": "sts:AssumeRole"
}
That's it. You are all set to use AWS now
After installing AWS CLI, run the following command. It will prompt you to add the secret and access key we noted when creating the User.
If you forgot to note it down, don't panic, you will find it under the User you created
aws configure
You can use the following CLI command or Python script to test the role
aws sts assume-role --role-arn <role-arn> --role-session-name test
ARN = "<role-arn>"
def assume_role():
"""aws sts assume-role --role-arn <role-arn> --role-session-name example-role"""
client = boto3.client('sts')
response = client.assume_role(RoleArn=ARN, RoleSessionName="dummy")
session = Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken'])
client = session.client('sts')
account_id = client.get_caller_identity()["Account"]
print(account_id)
return client
assume_role()
Last modified 2mo ago