Difference between revisions of "Action: sts:AssumeRole (aws iam role)"

From wikieduonline
Jump to navigation Jump to search
Line 18: Line 18:
  
 
== Examples ==
 
== Examples ==
 +
 +
Access to s3:
 
  {
 
  {
 
     "Version": "2012-10-17",
 
     "Version": "2012-10-17",
Line 25: Line 27:
 
             "Principal": {
 
             "Principal": {
 
                 "Service": "s3.amazonaws.com"
 
                 "Service": "s3.amazonaws.com"
 +
            },
 +
            "Action": "sts:AssumeRole"
 +
        }
 +
    ]
 +
}
 +
 +
 +
Access to s3 and one more cross-account role:
 +
{
 +
    "Version": "2012-10-17",
 +
    "Statement": [
 +
        {
 +
            "Effect": "Allow",
 +
            "Principal": {
 +
                "Service": "s3.amazonaws.com"
 +
            },
 +
            "Action": "sts:AssumeRole"
 +
        },
 +
        {
 +
            "Effect": "Allow",
 +
            "Principal": {
 +
                "arn:aws:iam::01234567890:role/your-role",
 +
                "arn:aws:iam::11111111111:role/your-other-role"
 
             },
 
             },
 
             "Action": "sts:AssumeRole"
 
             "Action": "sts:AssumeRole"

Revision as of 12:16, 18 August 2023

sts:AssumeRole

Official example

https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws:iam::111122223333:root"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}

Examples

Access to s3:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


Access to s3 and one more cross-account role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "arn:aws:iam::01234567890:role/your-role",
                "arn:aws:iam::11111111111:role/your-other-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}


 {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "",
     "Effect": "Allow",
     "Principal": {
       "Service": "ecs-tasks.amazonaws.com"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}



 resource "aws_iam_role" "ecs_task_role" {
 name               = "your-ecs-task-role"
 assume_role_policy = <<-EOF
 {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Sid": "",
       "Effect": "Allow",
       "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
       },
       "Action": [
         "sts:AssumeRole"
       ]
     }
   ]
 }
 EOF
}
 resource "aws_iam_role" "test_role" {
 name = "test_role"

 # Terraform's "jsonencode" function converts a
 # Terraform expression result to valid JSON syntax.
 assume_role_policy = jsonencode({
   Version = "2012-10-17"
   Statement = [
     {
       Action = "sts:AssumeRole"
       Effect = "Allow"
       Sid    = ""
       Principal = {
         Service = "ec2.amazonaws.com"
       }
     },
   ]
 })

 tags = {
   tag-key = "tag-value"
 }
}

Related

See also

Advertising: