Difference between revisions of "Action: sts:AssumeRole (aws iam role)"
Jump to navigation
Jump to search
Line 18: | Line 18: | ||
== Examples == | == Examples == | ||
+ | |||
+ | Access to s3: | ||
{ | { | ||
"Version": "2012-10-17", | "Version": "2012-10-17", | ||
Line 25: | Line 27: | ||
"Principal": { | "Principal": { | ||
"Service": "s3.amazonaws.com" | "Service": "s3.amazonaws.com" | ||
+ | }, | ||
+ | "Action": "sts:AssumeRole" | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | |||
+ | |||
+ | Access to s3 and one more cross-account role: | ||
+ | { | ||
+ | "Version": "2012-10-17", | ||
+ | "Statement": [ | ||
+ | { | ||
+ | "Effect": "Allow", | ||
+ | "Principal": { | ||
+ | "Service": "s3.amazonaws.com" | ||
+ | }, | ||
+ | "Action": "sts:AssumeRole" | ||
+ | }, | ||
+ | { | ||
+ | "Effect": "Allow", | ||
+ | "Principal": { | ||
+ | "arn:aws:iam::01234567890:role/your-role", | ||
+ | "arn:aws:iam::11111111111:role/your-other-role" | ||
}, | }, | ||
"Action": "sts:AssumeRole" | "Action": "sts:AssumeRole" |
Revision as of 12:16, 18 August 2023
sts:AssumeRole
Contents
Official example
https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "sts:AssumeRole" } ] }
Examples
Access to s3:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Access to s3 and one more cross-account role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "arn:aws:iam::01234567890:role/your-role", "arn:aws:iam::11111111111:role/your-other-role" }, "Action": "sts:AssumeRole" } ] }
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
resource "aws_iam_role" "ecs_task_role" { name = "your-ecs-task-role" assume_role_policy = <<-EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ecs-tasks.amazonaws.com" }, "Action": [ "sts:AssumeRole" ] } ] } EOF }
resource "aws_iam_role" "test_role" { name = "test_role" # Terraform's "jsonencode" function converts a # Terraform expression result to valid JSON syntax. assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Sid = "" Principal = { Service = "ec2.amazonaws.com" } }, ] }) tags = { tag-key = "tag-value" } }
Related
aws sts assume-role
aws iam add-role-to-instance-profile
- Amazon Cloudformation EKS cluster role
An error occurred (ValidationError) when calling the AssumeRole operation:
aws sts get-caller-identity
sts:
aws ssm put-parameter
aws iam list-instance-profiles
- Terraform resource:
aws_iam_role
See also
Advertising: