DEV Community

JosephHonpah
JosephHonpah

Posted on

HANDS ON GUIDE TO AWS ROLE AND PERMISSIONS (STS ASSUME ROLE)

DEMO GUIDE TO AWS ROLE: AWS SECURITY TOKEN SERVICE (STS) Assume Role.

captionless image

Reference

by Joseph Ndambombi Honpah

7 hours ago

šŸ”‘ What is Assume Role?
AWS STS Assume Role allows you to grant temporary, limited-privilege credentials to users or applications. This is especially useful for scenarios like granting EC2 instances access to AWS resources without hard coding long-term credentials.

šŸ’” Why Use Assume Role for EC2 Access?
1ļøāƒ£Enhanced Security: Avoid storing long-term credentials on your instances.
2ļøāƒ£Granular Permissions: Assign only the permissions needed for specific tasks.
3ļøāƒ£Auditability: Track and monitor temporary credentials for better compliance.

āœšŸ¾In this Demo you want your management account to grant ONLY short term credentials for EC2 access to your newly created IAM user, to perform actions on EC2 console.

šŸ“Prerequisite for this Demo.

1ļøāƒ£Two AWS IAM user accounts created by navigating to AWS MANAGEMENT CONSOLE

2ļøāƒ£Note pad for writing.

šŸ“ˆCost for this Demo is zero $ unless you choose to spin up EC2 instances which may incur some charges or except youā€™re in Free Tier.

1ļøāƒ£ Creating a new IAM userĀ justĀ forĀ demo, if you have one already set up you can skip this section.

  • Navigate to the management console for the management account and search IAM and click on it.
  • Go to users and click on the create user.

captionless image

Give the IAM user name (Demo-STS), check on the Provide User access and check Create an IAM user box ā˜‘ļø.

captionless image

  • Auto-generate password and leave everything as default, scroll down click next

captionless image

  • Leave everything as default and click next

captionless image

  • Review your details and scroll down click on create.

captionless image

  • Retrieve the details and save on the note pad for reference.

captionless image

  • On a new browser, copy and paste the console sign-in details and sign in to the newly created IAM user with the details collected above.

captionless image

  • Once youā€™re signed into the new user (Demo-STSĀ user), navigate to the EC2 console and you would have no permissions granted for the account.

captionless image

2ļøāƒ£ Creating STS Assume Role and adding EC2 permissions to that Role for the newly created account to use EC2 service.

  • Back on the management account, in the IAM console click on Roles and create role.

captionless image

  • Click on check box ā˜‘ļø Trusted entity AWS account and This account, Scroll down and click next.

captionless image

  • Add permissions by searching for AmazonEC2FullAccess. Once selected, scroll down and click next.

captionless image

  • Give Role name (EC2-Full-Access-STS), Review and scroll down to create.

captionless image

  • Still in the management account, click Roles and click on the role just created above to retrieve Role ARN and Link to switch roles to console which will be used in the next part of this Demo.

captionless image

  • Click on the new IAM user (Demo-STS) created. Click on add permissions drop down and create inline policy.

captionless image

  • Click on JSON and edit the action to ā€œSTSAssumeRoleā€, and Resource should be the ARN of the role created above ā€œ(EC2-Full-AccessSTS)ā€ Scroll down and click next.

captionless image

  • Give the policy name (EC2-Full-Access-STS) review, scroll down and click create policy.

captionless image

  • To confirm that after theĀ inlineĀ policyĀ isĀ created, it does not give EC2 access to the new IAM user (Demo-STS)Ā yet.

captionless image

  • You have to do that by navigating to rolesĀ inĀ theĀ management account, click on the role created(EC2-Full-AccessSTS) Copy and paste the ā€œLink switch roles in consoleā€ to a new browser and press enter.

captionless image

3ļøāƒ£ Checking if Assume Role is established and can be used by the new IAM user (Demo-STS).

  • Sign in using the Link switch roles in console in a new browser and with the new IAM user (Demo-STS) and click on Switch Role.

captionless image

  • You can see the new IAM user (Demo-STS) now has full access ONLY to EC2 services.

captionless image

  • Try checking for an S3 bucket with the same user and you will see it has no access to S3 services. Says Access Denied, because we did not attach the S3accesspolicy to the IAM role of the management account.

captionless image

  • Select the drop down and click on sign out current account

captionless image

  • Now you are back to original permissions for Demo-STS which has no access to EC2.

captionless image

4ļøāƒ£ Cleaning up your environment.

  • First click on Roles and delete the role (EC2-FULL-ACCESSSTS). Next click on Users and delete the newly created IAM user (Demo-STS).

captionless image

šŸ„³šŸ‘šŸ¾Well done, we just did an STS ASSUME ROLE and if you like my content please like, share and comment what you think about STS and what you like to see nextĀ content, your understanding is my priority šŸ’Ÿ

awscommunitybuilder #AWS #STSAssumeRole #ContinuesLearning

šŸ”— LinkedIn: https://www.linkedin.com/in/joseph-ndambombi-honpah-2044b5277

Joseph Ndambombi Honpah šŸ˜Š

Top comments (0)

Read next

amjadmh73 profile image

Six useful tools for corporate tasks

Amjad Abujamous -

smak1 profile image

How to Improve Website Speed with Image Optimization

Pavlo K -

sanjokale profile image

JWT Authentication in Express.js using Cookies

Sanjokale -

pratham_naik_project_manager profile image

Developers, burnout is real! šŸš€ Tight deadlines, endless context switching & unclear tasks can drain your energy. But with the right project management, you can stay productive & stress-free. Check out how Teamcamp helps streamline workflows!

Pratham naik -