Using External IDs in AWS IAM: A Hands-On Demo

Leave a Comment / By /

we’ll focus on a specific scenario involving the Secure Token Service (STS) and the “assume role” command. We’ll learn how to require an external ID, adding an extra layer of context and security to your AWS resources.

Scenario Overview

Imagine you have someone managing your AWS account for you, and you want to ensure they provide an additional piece of context when assuming a role. This context could be an account number or identifier. We’ll use conditions in IAM to enforce the requirement that an external ID must be provided when assuming a role. This helps you track who is making calls and why.

Demo

Let’s dive into a hands-on demonstration to see how this works.

1. Set Up Your Environment

Start by opening your command line interface. Ensure you’re configured to use the “assume role” demo user. You can verify this with the following command:

aws sts get-caller-identity

2. Create a Role

In the AWS Management Console, create a role with the necessary permissions. In this example, we’ll use a role with full access to Amazon S3.

3. Define Trust Relationship

The real magic happens in the trust relationship. This is where you specify who is allowed to assume the role. Review the policy used in the background:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":"arn:aws:iam::YOUR-ACCOUNT-ID:user/USERNAME"
         },
         "Action":"sts:AssumeRole",
         "Condition":{
            "StringEquals":{
               "sts:ExternalId":"kodecamps"
            }
         }
      }
   ]
}

This policy allows a specific user to run the sts:AssumeRole command, but only if they provide the correct external ID, in this case, “kodecamps.”

4. Assume the Role

Back in the command line, use the following command to assume the role:

aws sts assume-role --role-arn ARN-OF-THE-ROLE --role-session-name demo

Replace ARN-OF-THE-ROLE with the actual ARN of your role.

5. Export Temporary Credentials

Export the temporary credentials you received:

export AWS_ACCESS_KEY_ID=YOUR-ACCESS-KEY-ID
export AWS_SECRET_ACCESS_KEY=YOUR-SECRET-ACCESS-KEY
export AWS_SESSION_TOKEN=YOUR-SESSION-TOKEN

6. Verify the Role

Check the assumed role by running:

aws sts get-caller-identity

You should now see the assumed role’s identity.

7. Test Access

Finally, test access to your AWS resources using the assumed role’s credentials. For example:

aws s3 ls

Conclusion

Using external IDs in IAM trust policies adds an extra layer of validation to your IAM roles. It ensures that users assume roles with specific context, enhancing security and accountability in your AWS environment. This capability is particularly valuable when multiple entities interact with your AWS resources. Happy cloud computing!

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top