we’ll focus on a specific scenario involving the Secure Token Service (STS) and the “assume role” command. We’ll learn how to require an external ID, adding an extra layer of context and security to your AWS resources.
Scenario Overview
Imagine you have someone managing your AWS account for you, and you want to ensure they provide an additional piece of context when assuming a role. This context could be an account number or identifier. We’ll use conditions in IAM to enforce the requirement that an external ID must be provided when assuming a role. This helps you track who is making calls and why.
Demo
Let’s dive into a hands-on demonstration to see how this works.
1. Set Up Your Environment
Start by opening your command line interface. Ensure you’re configured to use the “assume role” demo user. You can verify this with the following command:
aws sts get-caller-identity
2. Create a Role
In the AWS Management Console, create a role with the necessary permissions. In this example, we’ll use a role with full access to Amazon S3.
3. Define Trust Relationship
The real magic happens in the trust relationship. This is where you specify who is allowed to assume the role. Review the policy used in the background:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::YOUR-ACCOUNT-ID:user/USERNAME"
},
"Action":"sts:AssumeRole",
"Condition":{
"StringEquals":{
"sts:ExternalId":"kodecamps"
}
}
}
]
}
This policy allows a specific user to run the sts:AssumeRole
command, but only if they provide the correct external ID, in this case, “kodecamps.”
4. Assume the Role
Back in the command line, use the following command to assume the role:
aws sts assume-role --role-arn ARN-OF-THE-ROLE --role-session-name demo
Replace ARN-OF-THE-ROLE
with the actual ARN of your role.
5. Export Temporary Credentials
Export the temporary credentials you received:
export AWS_ACCESS_KEY_ID=YOUR-ACCESS-KEY-ID
export AWS_SECRET_ACCESS_KEY=YOUR-SECRET-ACCESS-KEY
export AWS_SESSION_TOKEN=YOUR-SESSION-TOKEN
6. Verify the Role
Check the assumed role by running:
aws sts get-caller-identity
You should now see the assumed role’s identity.
7. Test Access
Finally, test access to your AWS resources using the assumed role’s credentials. For example:
aws s3 ls
Conclusion
Using external IDs in IAM trust policies adds an extra layer of validation to your IAM roles. It ensures that users assume roles with specific context, enhancing security and accountability in your AWS environment. This capability is particularly valuable when multiple entities interact with your AWS resources. Happy cloud computing!