AWS - IAM Roles and Trust Relationships

Question

I an new to AWS and IAM and trying to understand roles and trust relationship.

I fully understand why roles are used, how to create them and their use case.

What I don't get is the trust relationship step. In almost all the cases I have seen it is a one to one relationship. EC2 needs a trust with EC2. Why is there the extra step?

If I create an EC2 instance and a role that has S3 permissions why isn't that enough?

Answer 1

Roles are used to grant specific privileges to specific actors for a set duration of time. So, a role needs two things: permission policies (what resources can be accessed and what actions can be taken) and a trust policy (what entities can assume the role).

For example, the following CloudFormation snippet creates a role (MyInstanceRole) with a policy (MyWritePolicy) giving access to an S3 bucket and allows EC2 instances (the Principal, or the trust part) to assume the role:

MyInstanceRole:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
    - Effect: Allow
      Action: sts:AssumeRole
      Principal:
        Service: ec2.amazonaws.com
  Path: '/' 
  RoleName: MyInstanceRole
  Policies:
  - PolicyName: MyWritePolicy
    PolicyDocument:
      Version: 2012-10-17
      Statement:
      - Sid: WriteBackups
        Action: 
        - s3:PutObject
        Effect: Allow
        Resource: !Join ['', ['arn:aws:s3:::', !Join [ '-', [ 'bucketName', !Ref Environment ] ], '/*' ] ]

In many cases there will be just a single Principal, but there can be more than one (AWS account, IAM user, IAM role, federated user, or assumed-role user) if required.

There's a handy blog post at Now Create and Manage AWS IAM Roles More Easily with the Updated IAM Console that gives some more details.

Answer 2

TLDR: Think of aws trusted relations as which aws service can implement (assume role) the permissions you giving.

Quick example: If I've created a role which contains permissions to read bucket from s3 and ec2 is trusted relations in this role, only ec2 instances can implement this role and can have access to this s3 bucket. rds for example can't assume this role and therefore can't. You grant permissions x that only aws service y can use them.

Let me explain it with some easy use case:

I want to be able to download some configuration file from s3 bucket into my web application, the web application runs on ec2 instance and the s3 bucket name is "configuration-for-app"

I'm creating a role named "my-app-role" which contains several policies ,one of them is s3 policy that can access my s3 amazon resource "configuration-for-app" and has explicit permission to get it only (not delete i, not changing it - just get it). Since the app runs on ec2 - the trusted relations in this requirements between these services would be <ec2> -> <s3> ,my application that runs on ec2 can assume that role (my-app-role) and accessing (with the correct policy in it) to s3 and get the configuration file.

The role contains this policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "s3:GetObject"
      "Resource": "arn:aws:s3:::configuration-for-app/*"
    }
  ]
}

The trusted policy would be:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I grant permissions (assume-role of "my-app-role") <x> to service <y> (my ec2 instance that runs my applications) in order to accomplish operation<z> (get the s3 configuration file from bucket "configuration-for-app" the role contains this specific s3 policy).

Important - If different service in aws ( like rds / elasticsearch / amplify etc ...) wants assume this role and get the configuration file of this app it's impossible because only ec2 instances on this example has the right trusted policy.