AWS

How to Create IAM Roles in AWS

In AWS architecture, we often require one AWS service to manage or access other AWS services (for example you want your EC2 instance to read data from S3 bucket) on your behalf. To do so, we have to give permission to that service just like we give permissions to IAM users in our account. These permissions are granted by attaching IAM policies to IAM Roles. Then this IAM role is assigned to the AWS service. This blog describes how we can create IAM roles on AWS using AWS management console and AWS command line interface.

Types of AWS Roles

There are four types of roles we can create in AWS which are as follows:

AWS Service Role

AWS service roles are most commonly used roles when you want one AWS service to have permissions to access another AWS service on your behalf. The AWS service role can be attached to an EC2 instance, Lambda functions or any other AWS service.

Another AWS Account Role

This is simply used to allow access from one AWS account to another AWS account.

Web Identity Role

This is a way to allow users which are not in your AWS account (not IAM Users) to access AWS services in your AWS account. So, using web identity roles these users can be permitted to use AWS services from your account.

SAML 2.0 Federation Role

This role is used to provide access to specific users to manage and access your AWS account if they are federated with SAML 2.0. SAML 2.0 is a protocol which can provide authentication and authorization between security domains.

Creating IAM Roles

In this section we are going to look at how you can create IAM roles using the following methods.

  • Using AWS Management Console
  • Using AWS Command Line Interface (CLI)

Creating IAM Role Using Management Console

Sign in to your AWS account and in the top search bar, type IAM.

Select the IAM option down the search menu. This will take you to your IAM dashboard. Click on Roles in the left side panel to manage IAM Roles in your account.

Click on Create role button to create a new role in your account.

In the create role section, first you need to select the type of role you want to create. In this article, we are going to discuss only AWS service roles as they are the most commonly and frequently used type of role.

Now, you need to select the AWS service for which you want to create the role. There is a long list of services available here and we are going to stick with EC2.

To give a role the desired permission you want, you need to attach an IAM policy to the role just like an IAM policy is attached to IAM users to grant them permissions. These policies are JSON documents with single or multiple statements. You can either use AWS managed policies or create your own custom policies. For this demo, we will attach an AWS managed policy that gives read only permission to S3.

Next, you need to add tags if you want and this is totally optional step.

Lastly, review the details about the role you are creating and add the name for your role. Then click on the Create role button in the bottom right corner of the console.

So, you have successfully created a role in AWS and this role can be found in the roles section of IAM console.

Attach Role to Service

So far, we have created an IAM role, now we will see how we can attach this role to an AWS service to grant permissions. As we have created an EC2 role so it can only be attached to an EC2 instance.

In order to attach an IAM role to an EC2 instance, first create an EC2 instance in your AWS account. After creating an EC2 instance, go to the EC2 console.

Click on the actions tab, choose Security from the list and click on the Modify IAM role.

In the Modify IAM role section, select the role from the list you want to assign and simply click on Save button.

After this, if you want to verify that the role is actually attached to your instance, you can just look for it in the summary section.

Creating IAM Role Using Command Line Interface

IAM roles can be created using the command line interface, and this is the most common method from developers’ point of view who prefer using CLI over management console. For AWS, you can set up CLI either on Windows, Mac, Linux or simply you can use AWS cloudshell. First, login to AWS user account using your credentials and to create a new role, just go along the following procedure.

Create a test or trust relationship policy file using the following command in the terminal.

$ vim demo_policy.json

In the editor, paste the IAM policy you want to attach to the IAM role.

[
    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Principal": {

                "Service": "ec2.amazonaws.com"

            },

            "Action": "sts:AssumeRole"

        }

    ]

]

After copying the IAM policy, save and exit the editor. In order to read the policy from the file, use the cat command.

$ cat <file_name>

Now, finally you can create your IAM role using the following command.

$ aws iam create-role --role-name  --assume-role-policy-document file://<name.json>

This command will create the IAM role and attach the IAM policy defined in the JSON document to the role.

The IAM policy attached to the IAM role can be changed by using the following command in the terminal.

$ aws iam attach-role-policy --role-name <name>--policy-arn<arn>

In order to list policy attached to the IAM role, use the following command in the terminal.

$ aws iam list-attached-role-policies --role-name<name>

Attach Role to Service

After creating the IAM role, attach the newly created IAM role to AWS service. Here, we are going to attach the role to an EC2 instance.

To attach a role to an EC2 instance, we first need to create an instance profile using the following CLI command.

$ aws iam create-instance profile --instance-profile-name<name>

Now, attach role to instance profile

$ aws iam add-role-to-instance-profile --instance-profile-name>name<--role-name>name<

Finally, now we are going to attach this instance profile to our EC2 instance. For this we need the following command:

$ aws ec2 associate-iam-instance-profile --instance-id <id>--iam-instance-profile Name=<name>

In order to list IAM instance profile associations, use the following command in the terminal.

$ aws ec2 describe-iam-instance-profile-associations

Conclusion

Managing IAM roles is one of the basic concepts in AWS cloud. IAM roles can be used to authorize AWS service to access another AWS service on your behalf. They are also important to keep your AWS resources secure by assigning specific permissions to AWS services they need. These roles can also be used to allow IAM users from other AWS accounts to use AWS resources on your AWS account. IAM roles use IAM policies to assign permissions to the AWS services they are attached with. This blog describes step by step procedure to create IAM roles using AWS management console and AWS command line interface.

About the author

Zain Abideen

A DevOps Engineer with expertise in provisioning and managing servers on AWS and Software delivery lifecycle (SDLC) automation. I'm from Gujranwala, Pakistan and currently working as a DevOps engineer.