I know how to create user
, group
and role
in AWS IAM. I can also attach policies to each of them. For example, after selecting a group, you can go to permissions
tab, and attach some policies to it.
However, I don't know how to attach a role to a user or group.
I looked on documentation and forums, but did not find anything, and appreciate your help.
To create a role (console)Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/ . In the navigation pane of the console, choose Roles and then choose Create role. Choose AWS account role type. To create a role for your account, choose This account.
IAM user groupsAny user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that user group.
Create the IAM role and attach the policy Because this IAM role is assumed by an IAM user, you must specify a principal that allows IAM users to assume that role. For example, a principal similar to arn:aws:iam::123456789012:root allows all IAM identities of the account to assume that role.
You can't assign IAM role to IAM user or group, see the notes from this AWS official doc :- https://aws.amazon.com/iam/faqs/
Q: Can I add an IAM role to an IAM group?
Not at this time.
And
Q: What is an IAM role?
An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.
It looks like it's not straight forward to attach IAM role
to IAM user
, follow https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html on how to do it.
In the past, I've created IAM role for my ec2-instance and when launching that instance, I can choose that IAM role and my ec2-instance will have all the permissions set in that IAM role, likewise you can assign a role to other ec2-services, this is the most used scenario of IAM role.
To assign IAM role to an IAM user, do the following:
That's it. Now test it out using the Switch Role feature.
Follow the same procedure to assign IAM role to an IAM group.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With