Difference between revisions of "Action: sts:AssumeRole (aws iam role)"
Jump to navigation
Jump to search
| (23 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | [[sts:AssumeRole]] | |
| + | [[sts:AssumeRoleWithWebIdentity]] | ||
| + | == Official example == | ||
| + | https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/ | ||
| + | { | ||
| + | "Version": "2012-10-17", | ||
| + | "Statement": [ | ||
| + | { | ||
| + | "Effect": "Allow", | ||
| + | "Principal": { | ||
| + | "AWS": "arn:aws:iam::111122223333:root" | ||
| + | }, | ||
| + | "Action": "sts:AssumeRole" | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | == Examples == | ||
| + | |||
| + | Access to s3: | ||
| + | { | ||
| + | "Version": "2012-10-17", | ||
| + | "Statement": [ | ||
| + | { | ||
| + | "Effect": "Allow", | ||
| + | "Principal": { | ||
| + | "Service": "s3.amazonaws.com" | ||
| + | }, | ||
| + | "Action": "sts:AssumeRole" | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | |||
| + | |||
| + | Access to s3 and one more cross-account role: | ||
| + | { | ||
| + | "Version": "2012-10-17", | ||
| + | "Statement": [ | ||
| + | { | ||
| + | "Effect": "Allow", | ||
| + | "Principal": { | ||
| + | "Service": "s3.amazonaws.com" | ||
| + | }, | ||
| + | "Action": "sts:AssumeRole" | ||
| + | }, | ||
| + | { | ||
| + | "Effect": "Allow", | ||
| + | "Principal": { | ||
| + | "AWS": "arn:aws:iam::01234567890:role/your-role", | ||
| + | "AWS": "arn:aws:iam::11111111111:role/your-other-role" | ||
| + | }, | ||
| + | "Action": "sts:AssumeRole" | ||
| + | } | ||
| + | ] | ||
| + | } | ||
| + | |||
| + | |||
| + | |||
| + | * [[How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?]] | ||
| + | |||
| + | {{ecs-tasks.amazonaws.com}} | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | {{aws_iam_role ecs_task_role}} | ||
| + | |||
| + | {{aws_iam_role test_role}} | ||
== Related == | == Related == | ||
* <code>[[aws sts assume-role]]</code> | * <code>[[aws sts assume-role]]</code> | ||
| + | * <code>[[aws iam add-role-to-instance-profile]]</code> | ||
* [[Amazon Cloudformation EKS cluster role]] | * [[Amazon Cloudformation EKS cluster role]] | ||
* <code>[[An error occurred (ValidationError) when calling the AssumeRole operation:]]</code> | * <code>[[An error occurred (ValidationError) when calling the AssumeRole operation:]]</code> | ||
| Line 12: | Line 79: | ||
* <code>[[aws iam list-instance-profiles]]</code> | * <code>[[aws iam list-instance-profiles]]</code> | ||
* [[Terraform resource]]: <code>[[aws_iam_role]]</code> | * [[Terraform resource]]: <code>[[aws_iam_role]]</code> | ||
| + | * <code>[[sts:AssumeRoleWithWebIdentity]]</code> | ||
| + | * [[monitoring.rds.amazonaws.com]] | ||
| + | * [[iam:PassRole]] | ||
== See also == | == See also == | ||
* {{aws sts}} | * {{aws sts}} | ||
| + | * {{Roles}} | ||
[[Category:AWS]] | [[Category:AWS]] | ||
Latest revision as of 15:59, 7 November 2024
sts:AssumeRole sts:AssumeRoleWithWebIdentity
Contents
Official example[edit]
https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole"
}
]
}
Examples[edit]
Access to s3:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Access to s3 and one more cross-account role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::01234567890:role/your-role",
"AWS": "arn:aws:iam::11111111111:role/your-other-role"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
resource "aws_iam_role" "ecs_task_role" { name = "your-ecs-task-role" assume_role_policy = <<-EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": [ "sts:AssumeRole" ] } ] } EOF }
resource "aws_iam_role" "test_role" { name = "test_role" # Terraform's "jsonencode" function converts a # Terraform expression result to valid JSON syntax. assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } }, ] }) tags = { tag-key = "tag-value" } }
Related[edit]
aws sts assume-roleaws iam add-role-to-instance-profile- Amazon Cloudformation EKS cluster role
An error occurred (ValidationError) when calling the AssumeRole operation:aws sts get-caller-identitysts:aws ssm put-parameteraws iam list-instance-profiles- Terraform resource:
aws_iam_role sts:AssumeRoleWithWebIdentity- monitoring.rds.amazonaws.com
- iam:PassRole
See also[edit]
Advertising:
