I use the AWS Console, to switch my role from A to B on the same account (account1). Then I would like to switch from B to role C which is on another account (account2). The switch from A to B is working, but then from B to C is not.
B trusts in arn:aws:iam::account1.id:role/A
C trusts in arn:aws:iam::account2.id:role/B
Is this a limitation of AWS, or should it be possible to switch roles transitively?
I found the answer, it is not possible to switch roles transitively in AWS Console
Based on this AWS documentation:
When you switch roles in the AWS Management Console, the console always uses your original credentials to authorize the switch. This applies whether you sign in as an IAM user, as a SAML-federated role, or as a web-identity federated role. For example, if you switch to RoleA, it uses your original user or federated role credentials to determine if you are allowed to assume RoleA. If you then try to switch to RoleB while you are using RoleA, your original user or federated role credentials are used to authorize your attempt, not the credentials for RoleA.
Related
Was trying to start a session[terminal] via ssm on an instance in another account. using command
aws ssm start-session --target i-yyyaf4692d801d1xx --region ap-south-1
but it was failing with response as "Target is not connected".
we get this response when the instance is usually not found in the inventory of Systems Manager. - which i can't add, as the instance is in another account
END Goal: I wish to use users created in Account A to be able to start sessions on instances on Account B. both part of the same organisation.
Also,
my user has appropriate permissions have verified it through IAM Simulator
it seems instance IDs are unique and associated to one account only.
the instance is accessible by local users in that account.
[update 9th Jan 2023]
Thanks for the responses, its clear that IAM Role[with assume role sts] suffices the request conditions.
But i was looking for some seamless method, where we dont need to generate temporary credentials and use them for access each time.
May be a script to do this task or something would do. As IAM Principal: Users need to generate temp creds manually which is not the case with IAM Roles
You need to delegate access between the accounts. You can do this by creating a role in the target account which is allowed to assumed by users in the other account.
Setup the access:
Create an IAM role with necessary IAM permissions to access the instances in the target account (account B)
Create a trust relationship on the role in the target account to trust the appropriate principals (users or roles) in the source account (account A).
Grant the appropriate principals (users or roles) in the the source account (account A) permission to call the sts assume-role API for the role in the target account (account B)
Use the access:
From your user profile or role in account A, call the sts assume-role API to obtain credentials for the role you created in account B.
Use the credentials returned by the sts assume-role call in order to call the API using the identity assumed in account B to access the resources.
See: cross-account IAM access for more details.
I have two roles configured in my IAM called "role1" and "role2" and a user called "foobar". The trust policy of "role2" is configured so that "role1" is granted the AssumeRole action, while "role1" can be assumed by the foobar user.
So the workflow to use role2 would be to login as user foobar, then assume role1 and from there assume role2.
I know that I can easily jump from role1 to role2 in the CLI by setting the source_profile value in the configuration file ~/.aws/config. But I have been unable to do the same thing in the management console (web interface). There is the "Switch Role" menu, but that only allows me to assume the role from the user not logged in, not from an already assumed role.
So my question is: How can I switch to "role2" in the scenario described above from the management console?
I think the transitive IAM Role switch from AWS Console is not allowed as per the documentation
Granting a user permissions to switch roles
When you switch roles in the AWS Management Console, the console always uses your original credentials to authorize the switch. This applies whether you sign in as an IAM user, as a SAML-federated role, or as a web-identity federated role. For example, if you switch to RoleA, it uses your original user or federated role credentials to determine if you are allowed to assume RoleA. If you then try to switch to RoleB while you are using RoleA, your original user or federated role credentials are used to authorize your attempt, not the credentials for RoleA.
Question
What does exactly "Assume" a role mean in AWS and where is the definitive definition provided?
Background
Assuming a role is frequently used and trying to understand the definition and what it actually means.
I suppose when a principal (IAM user, application running in an EC2 instance, etc which invokes an action to access AWS resource(s)) needs to invoke an action to access an AWS resource:
AWS (API? or some Authorisation runtime in AWS?) identifies the roles which the principal can be granted. e.g. if an EC2 user is specified to execute the assume-role API call and run an application which accesses an AWS resources in an EC2 instance to which IAM profile is attached, then:
All the IAM roles from the EC2 IAM profile
IAM roles and policies requested in the assume-role call
IAM roles which the EC2 user is granted
AWS finds a role from the roles which has the policy (action, resource) that allows the principle to do the action on the resource.
AWS switches the role of the principle to the role identified.
When the step 3 has happened, it is said "the principal has assumed the role". Is this correct?
Research
Using IAM Roles
Before an IAM user, application, or service can use a role that you created, you must grant permissions to switch to the role. You can use any policy attached to one of an IAM user's groups or to the user itself to grant the necessary permissions.
Assuming a Role
AssumeRole
Using IAM Roles
Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
Assuming a role means asking Security Token Service (STS) to provide you with a set of temporary credentials -- role credentials -- that are specific to the role you want to assume. (Specifically, a new "session" with that role.)
You can optionally include a policy with this request, which will serve to limit the permissions of the temporary credentials to only a subset of what the role's policies would have allowed.
You then use these credentials to make further requests. These credentials look similar to IAM user credentials with an access-key-id and secret, but the access key begins with ASIA instead of AKIA and there's a third element, called the security token, which must be included in requests signed with the temporary credentials.
When you make requests with these temporary credentials, you have the permissions associated with the role, and not your own (if you have one) because you have taken on a new identity. CloudTrail can be used to trace the role credentials back to the user who assumed the role, but otherwise the service is unaware of who is using the credentials.
tl;dr: Assuming a role means obtaining a set of temporary credentials which are associated with the role and not with the entity that assumed the role.
AWS (API? or some Authorisation runtime in AWS?) identifies the roles which the principal can be granted.
No. You specify the role you want to assume.
When "you" are code running on an EC2 instance, and the instance has an instance role, the EC2 infrastructure actually calls assume-role on behalf of the instance, and you can fetch the temporary credentials from the instance metadata service. These credentials are accessible only from within the instance, but they are not stored on the instance.
When running a Lambda function, the Lambda infrastructure contacts STS and places your temporary credentials in environment variables. Again, these credentials are accessible to the function, without being stored inside the function.
In either case, you could call assume role with these credentials and assume a different role, but that should not be necessary in most environments.
e.g. if an EC2 user is specified to execute the assume-role API call and run an application which accesses an AWS resources in an EC2 instance to which IAM profile is attached, then:
AWS has no awareness of EC2 users. Instance roles are accessible to everything running on the instance.
All the IAM roles from the EC2 IAM profile
An instance profile can only include one role.
IAM roles and policies requested in the assume-role call
You request to assume exactly one role. You do not need to request a policy -- you only specify a policy if you want the temporary credentials to have fewer privileges than the role credentials would allow. This might be something you would do if you needed code running in an untrusted place -- such as code in a browser or an app -- to be able to sign requests with credentials.
AWS finds a role from the roles which has the policy (action, resource) that allows the principle to do the action on the resource.
No. As noted above, you ask for a specific role when you call assume-role.
AWS switches the role of the principle to the role identified.
No. You make the switch by using the temporary credentials provided.
I have created the following diagram for myself to understand what is exactly assume a role in AWS. Hopefully, you will also find it helpful.
In the diagram, I put it in 3 steps:
Prepare the roles (ExecutionRole and AssumedRole)
Create a Lambda Function on Account A (in your case it is EC2)
Execute the LambdaFunction.
The diagram uses cross-account as an example, if it is within the same account step 1.3 is not required.
Typically, you use AssumeRole within your account or for cross-account access.
...
Users in the same account as the role do not need explicit permission to assume the role. Source: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
When step 3 has happened, it is said: "the principal has assumed the
role". Is this correct?
The steps you mentioned in assuming a role are correct.
Here the important point is the IAM role's Trust Relationship configuration where you grant each of the IAM user, application, or service to assume the role. That is where you grant the permission to assume the particular role.
This is important in many aspects, where it controls who can assume the role and it is important to provide not only least access to the role but also grant the least amount of entities who can assume the role.
I am looking to use AWS STS to access resources from another AWS account owned by another team.
say, AWS Account A trying to access AWS Account B.
basically the steps I am following:
1. Create a user in Account A
2. Create Role in Account B with the necesaary permissions
3. Add assume role permissions for user in Account A
4. Use User credentials to get temporary credentials for Account B.
5. Use temp credentials on Account B.
But, after reading through a ton of AWS docs, I am unable to figure out which account gets billed for the cross account API calls?
When you use AssumeRole to grant access to another Amazon account (account B), your identity switches to the other account with the username being the role name that you assumed.
The only cross account API being called will be AssumeRole. After this succeeds you will be using the APIs using account B's temporary credentials that were returned from AssumeRole.
All ownership, billing, etc. will be the same as if you had originally logged into account B as a normal IAM user except for the user name.
CloudTrail records STS type calls such as AssumeRole and logs all authenticated API requests. Once AssumeRole succeeds, your activity (using the temporary credentials) will be logged by CloudTrail in account B. This assumes of course that CloudTrail is enabled.
This link will give you more details into the user identity that AWS uses when using AssumeRole.
CloudTrail userIdentity Element
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role.
Link
As everyone has mentioned a user from the account A is just assuming a role in account B to temporary access resources in account B,ownership stays still and the owner pays for the resources he owns. In this case it is the account B who pays. STS is the service being used to assume a role and is part of IAM.
The following was taken from IAM FAQ.
Q: How do I assume an IAM role?
You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.
Q: How many IAM roles can I assume?
There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.
Q: Who can use IAM roles?
Any AWS customer can use IAM roles.
Q: How much do IAM roles cost?
IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.
How would you switch to a user in the AWS console?
I've set up an IAM policy for a user and I'd like to test whether they're working or not.
I've tried switching roles http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
using the account id from the User ARN (e.g.
arn:aws:iam::<account id>:user/<username>
in
https://signin.aws.amazon.com/switchrole
using:
Account: <account id>
Role: test_user
Display Name: Test User
then clicking Switch Role but I get:
Could not switch roles using the provided information. Please check your settings and try again. If you continue to have problems, contact your administrator.
Note: I am an Admin with full access.
You cannot use the Switch Role functionality to switch to a User.
You have two options:
Login as the User you wish to test, or
Create a Role with the same permissions, switch to the Role, then test
The easiest is to simply login as the user you wish to test. However, this can be a poor security practice because you are using another person's account and any actions you perform would be recorded against that user in Amazon CloudTrail (audit trail).
Alternatively, you could create a new IAM Role and assign exactly the same permissions to that Role. You would also need to assign a Trust Policy to the role to permit it to be used by you (your IAM User). You can then switch to that role in the console. This will work, unless you have any policies that specifically reference the User you wish to test (which will not recognise your Role permissions).
The best way to do this is fully log out of the AWS console. Or you can use a different browser so you can be logged into both at the same time.