Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to assign IAM role to users or groups

I know how to create user, group and role in AWS IAM. I can also attach policies to each of them. For example, after selecting a group, you can go to permissions tab, and attach some policies to it.

However, I don't know how to attach a role to a user or group.

I looked on documentation and forums, but did not find anything, and appreciate your help.

like image 971
Alisa Avatar asked Jan 03 '18 21:01

Alisa


People also ask

How do I assign a role to an IAM user in AWS?

To create a role (console)Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . In the navigation pane of the console, choose Roles and then choose Create role. Choose AWS account role type. To create a role for your account, choose This account.

How are permissions assigned to an IAM group?

IAM user groupsAny user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that user group.

How do you assume the role of an IAM user?

Create the IAM role and attach the policy Because this IAM role is assumed by an IAM user, you must specify a principal that allows IAM users to assume that role. For example, a principal similar to arn:aws:iam::123456789012:root allows all IAM identities of the account to assume that role.


2 Answers

You can't assign IAM role to IAM user or group, see the notes from this AWS official doc :- https://aws.amazon.com/iam/faqs/

Q: Can I add an IAM role to an IAM group?

Not at this time.

And

Q: What is an IAM role?

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.

It looks like it's not straight forward to attach IAM role to IAM user, follow https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html on how to do it.

In the past, I've created IAM role for my ec2-instance and when launching that instance, I can choose that IAM role and my ec2-instance will have all the permissions set in that IAM role, likewise you can assign a role to other ec2-services, this is the most used scenario of IAM role.

like image 76
Amit Avatar answered Oct 07 '22 07:10

Amit


To assign IAM role to an IAM user, do the following:

  1. Open the IAM Dashboard
  2. Select the role that you want to assign to an IAM user
  3. Edit the trust policy
  4. add the ARN of the IAM user in the Principal's section

That's it. Now test it out using the Switch Role feature.

Follow the same procedure to assign IAM role to an IAM group.

like image 30
user12054114 Avatar answered Oct 07 '22 06:10

user12054114