Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Assume multiple AWS IAM roles are a single time

Tags:

amazon-iam

On occasion, I need to access multiple AWS resources that I have individual access for with separate IAM roles. If I need these resources to be used together, I currently have to figure out a non-native connector piece.

If I could access the resources together at the same time, I can sometimes use an AWS connector to interface with both resources at once (for example).

Is there a way to assume multiple IAM roles at the same time?

like image 502
ignorance Avatar asked Feb 20 '18 00:02

ignorance

People also ask

How many IAM roles can be assigned to an AWS service at a time?

An instance profile can contain only one IAM role. This limit cannot be increased.

Can an assumed role assume another role?

You can assume a role from an assumed role. Account C would have a role that trusts account B. Account B would have a role that trusts account A. Each role would also have to have permissions for sts:AssumeRole on the role that account is assuming.

Can I assume a role in the same account AWS?

You must explicitly grant your users permission to assume the role. Your users must actively switch to the role using the AWS Management Console or assume the role using the AWS CLI or AWS API.

How do you assume IAM role?

You can assume a role by calling an AWS CLI or API operation or by using a custom URL. The method that you use determines who can assume the role and how long the role session can last. ¹ Using the credentials for one role to assume a different role is called role chaining.

1 Answers

Technically, yes, there is a way to assume multiple IAM roles at the same time.

But it doesn't mean what you intend.

Assuming an IAM role doesn't modify who you are and doesn't modify what permissions you have -- contrary to the intuitive interpretation of what it might mean to assume a different identity. Instead, when you assume a role, you are given a new set of temporary credentials to use, instead of "your" credentials -- the credentials you used to assume the role.

Requests made with these temporary credentials are authorized against the permissions granted to the role.

Thus, while you can assume multiple roles at the same time, each of those actions has a separate set of associated credentials, so it won't allow you to make requests that require you to have the permissions of more than one role for any given request.

Every request is performed by a single principal, so if you are trying to perform a single action that requires the union of the permissions of multiple roles, that's a not possible.

like image 54
Michael - sqlbot Avatar answered Oct 01 '22 10:10

Michael - sqlbot
Sign in to Comment

Related questions

Amazon Prefix-Based S3 Policy Isn't Working (AWS, IAM, STS, Ruby)
AWS API Gateway ARN
How to use IAM role with AWS Java SDK
How do I assign function level IamRoleStatements in Serverless Framework?
AWS S3 IAM grant access to buckets based on tags
Terraform unable to assume roles with MFA enabled
How do I use Terraform to maintain/manage IAM users
How can I control user access to Amazon DynamoDB data via IAM?
Enable logging S3 via cloudFormation template?
Access AWS API Gateway with IAM roles from Python
AWS IAM Policies to connect AWS Cloudwatch Logs, Kinesis Firehose, S3 and ElasticSearch
Unable to assume role and validate the specified targetGroupArn
Adding roles to service accounts on Google Cloud Platform using REST API
Invoke an AWS lambda across regions
Differences between 'root account credentials' and 'IAM user credentials'
How to reference a resource ARN in a cloudformation policy document ? (yaml)
CloudFormation IAM Role -- AssumeRolePolicyDocument
What permissions does django-storages require for an s3 IAM user?
How to hide instances in EC2 based on tag - using IAM?
How to use DynamoDB fine grained access control with Cognito User Pools?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!