Difference between revisions of "Action: sts:AssumeRole (aws iam role)"

Latest revision as of 15:59, 7 November 2024

sts:AssumeRole
sts:AssumeRoleWithWebIdentity

Official example[edit]

https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::111122223333:root"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}

Examples[edit]

Access to s3:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Access to s3 and one more cross-account role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::01234567890:role/your-role",
                "AWS": "arn:aws:iam::11111111111:role/your-other-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?

 {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "",
     "Effect": "Allow",
     "Principal": {
       "Service": "ecs-tasks.amazonaws.com"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}

 resource "aws_iam_role" "ecs_task_role" {
 name               = "your-ecs-task-role"
 assume_role_policy = <<-EOF
 {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "",
       "Effect": "Allow",
       "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
       },
       "Action": [
         "sts:AssumeRole"
       ]
     }
   ]
 }
 EOF
}

 resource "aws_iam_role" "test_role" {
 name = "test_role"

 # Terraform's "jsonencode" function converts a
 # Terraform expression result to valid JSON syntax.
 assume_role_policy = jsonencode({
   Version = "2012-10-17"
   Statement = [
     {
       Action = "sts:AssumeRole"
       Effect = "Allow"
       Sid    = ""
       Principal = {
         Service = "ec2.amazonaws.com"
       }
     },
   ]
 })

 tags = {
   tag-key = "tag-value"
 }
}

@@ Line 1: / Line 1: @@
-{{lowercase}}
+ [[sts:AssumeRole]]
-  [[sts:]]AssumeRole
+  [[sts:AssumeRoleWithWebIdentity]]
 == Official example ==
@@ Line 18: / Line 18: @@
 == Examples ==
+Access to s3:
+ {
+     "Version": "2012-10-17",
+     "Statement": [
+         {
+             "Effect": "Allow",
+             "Principal": {
+                 "Service": "s3.amazonaws.com"
+             },
+             "Action": "sts:AssumeRole"
+         }
+     ]
+ }
+Access to s3 and one more cross-account role:
   {
       "Version": "2012-10-17",
@@ Line 25: / Line 42: @@
               "Principal": {
                   "Service": "s3.amazonaws.com"
+             },
+             "Action": "sts:AssumeRole"
+         },
+         {
+             "Effect": "Allow",
+             "Principal": {
+                 "AWS": "arn:aws:iam::01234567890:role/your-role",
+                 "AWS": "arn:aws:iam::11111111111:role/your-other-role"
               },
               "Action": "sts:AssumeRole"
@@ Line 54: / Line 79: @@
 * <code>[[aws iam list-instance-profiles]]</code>
 * [[Terraform resource]]: <code>[[aws_iam_role]]</code>
+* <code>[[sts:AssumeRoleWithWebIdentity]]</code>
+* [[monitoring.rds.amazonaws.com]]
+* [[iam:PassRole]]
 == See also ==
 * {{aws sts}}
+* {{Roles}}
 [[Category:AWS]]

Difference between revisions of "Action: sts:AssumeRole (aws iam role)"

Latest revision as of 15:59, 7 November 2024

Contents

Official example[edit]

Examples[edit]

Related[edit]

See also[edit]

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools