IAM Role
💡 Definition
An IAM Role is an IAM identity that you can create in your account that has specific permissions. It is similar to an IAM user, but instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
🔑 Key Concepts
- Temporary Credentials: When you assume a role, you get temporary security credentials (access key, secret key, session token) that expire after a set time.
- No Password/Keys: Roles do not have permanent long-term credentials like passwords or access keys associated with them.
- Trusted Entity: You define "who" can assume the role (e.g., an AWS service like EC2, another AWS account, or a federated user).
⚙️ How it Works
- Create Role: Define permissions (Policy) and trust relationship (Who can use it).
- Assume Role: An entity (e.g., an EC2 instance) requests to assume the role.
- Get Token: AWS returns temporary credentials.
- Action: The entity uses these credentials to perform actions (e.g., write to an S3 bucket).
🎯 Use Cases
- AWS Services: Allowing an EC2 instance or Lambda function to access other AWS services without storing secrets in code.
- Cross-Account Access: Allowing a user in Account A to access resources in Account B.
- Federation: Allowing users from an external identity provider (like Active Directory) to access AWS.
💰 Pricing Model
- Free feature of IAM.
📝 Exam Tips (CLF-C02)
- Use roles for AWS Services (like EC2) to avoid hardcoding credentials.
- Use roles for Cross-Account Access.
- Keywords: "Assume Role", "Temporary Credentials", "Federation".