Difference between revisions of "Action: sts:AssumeRole (aws iam role)"

From wikieduonline
Jump to navigation Jump to search
 
(20 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{lowercase}}
+
[[sts:AssumeRole]]
 +
[[sts:AssumeRoleWithWebIdentity]]
  
 +
== Official example ==
 +
https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
 +
{
 +
  "Version": "2012-10-17",
 +
  "Statement": [
 +
    {
 +
      "Effect": "Allow",
 +
      "Principal": {
 +
        "AWS": "arn:aws:iam::111122223333:root"
 +
      },
 +
      "Action": "sts:AssumeRole"
 +
    }
 +
  ]
 +
}
  
 +
== Examples ==
  
 +
Access to s3:
 +
{
 +
    "Version": "2012-10-17",
 +
    "Statement": [
 +
        {
 +
            "Effect": "Allow",
 +
            "Principal": {
 +
                "Service": "s3.amazonaws.com"
 +
            },
 +
            "Action": "sts:AssumeRole"
 +
        }
 +
    ]
 +
}
 +
 +
 +
Access to s3 and one more cross-account role:
 +
{
 +
    "Version": "2012-10-17",
 +
    "Statement": [
 +
        {
 +
            "Effect": "Allow",
 +
            "Principal": {
 +
                "Service": "s3.amazonaws.com"
 +
            },
 +
            "Action": "sts:AssumeRole"
 +
        },
 +
        {
 +
            "Effect": "Allow",
 +
            "Principal": {
 +
                "AWS": "arn:aws:iam::01234567890:role/your-role",
 +
                "AWS": "arn:aws:iam::11111111111:role/your-other-role"
 +
            },
 +
            "Action": "sts:AssumeRole"
 +
        }
 +
    ]
 +
}
 +
 +
 +
 +
* [[How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?]]
  
 
  {{ecs-tasks.amazonaws.com}}
 
  {{ecs-tasks.amazonaws.com}}
 +
 +
 +
 +
 +
{{aws_iam_role ecs_task_role}}
 +
 +
{{aws_iam_role test_role}}
  
 
== Related ==
 
== Related ==
Line 16: Line 79:
 
* <code>[[aws iam list-instance-profiles]]</code>
 
* <code>[[aws iam list-instance-profiles]]</code>
 
* [[Terraform resource]]: <code>[[aws_iam_role]]</code>
 
* [[Terraform resource]]: <code>[[aws_iam_role]]</code>
* [[How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?]]
+
* <code>[[sts:AssumeRoleWithWebIdentity]]</code>
 +
* [[monitoring.rds.amazonaws.com]]
 +
* [[iam:PassRole]]
  
 
== See also ==
 
== See also ==
 
* {{aws sts}}
 
* {{aws sts}}
 +
* {{Roles}}
  
 
[[Category:AWS]]
 
[[Category:AWS]]

Latest revision as of 15:59, 7 November 2024

sts:AssumeRole
sts:AssumeRoleWithWebIdentity

Official example[edit]

https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::111122223333:root"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}

Examples[edit]

Access to s3:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


Access to s3 and one more cross-account role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::01234567890:role/your-role",
                "AWS": "arn:aws:iam::11111111111:role/your-other-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


 {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "",
     "Effect": "Allow",
     "Principal": {
       "Service": "ecs-tasks.amazonaws.com"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}



 resource "aws_iam_role" "ecs_task_role" {
 name               = "your-ecs-task-role"
 assume_role_policy = <<-EOF
 {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "",
       "Effect": "Allow",
       "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
       },
       "Action": [
         "sts:AssumeRole"
       ]
     }
   ]
 }
 EOF
}
 resource "aws_iam_role" "test_role" {
 name = "test_role"

 # Terraform's "jsonencode" function converts a
 # Terraform expression result to valid JSON syntax.
 assume_role_policy = jsonencode({
   Version = "2012-10-17"
   Statement = [
     {
       Action = "sts:AssumeRole"
       Effect = "Allow"
       Sid    = ""
       Principal = {
         Service = "ec2.amazonaws.com"
       }
     },
   ]
 })

 tags = {
   tag-key = "tag-value"
 }
}

Related[edit]

See also[edit]

Advertising: