Overview
- An IAM Role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2. (what can I do?)
- An instance profile represents EC2 instances (who am I?). Instance profiles provide temporary credentials that are rotated automatically
- The temporary credentials can then be used by the applications to access resources as per the role configuration, eliminating the need for managing (storing, rotating etc.) credentials
Setup Steps
Management Console
- Create a new IAM policy e.g., S3 read access
- Create a new IAM EC2 role and associate it with the IAM policy
- Note: AWS will automatically create a trust policy for EC2, whereas it needs to be manually created when using the CLI approach
- Attach AIM role to EC2 instance/s
- Test access
Command Line Interface
# SSH into the EC2 bastion host
ssh cloud_user@public_ipv4_ip
# Run AWS Configure and set default region and output format
aws configure
AWS Access Key ID [None]:
AWS Secret Access Key [None]:
Default region name [None]: us-east-1
Default output format [None]: json
# Create Trust Policy allowing EC2 assuming IAM Roles
vim trust_policy_ec2.json
# json policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
]
}
# Create IAM Role
aws iam create-role --role-name DEV_ROLE --assume-role-policy-document file://trust_policy_ec2.json
# Grant the role access to S3 -- Create a new read policy
vim dev_s3_read_access.json
# json policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserToSeeBucketListInTheConsole",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::*"]
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::<DEV_S3_BUCKET_NAME>/*",
"arn:aws:s3:::<DEV_S3_BUCKET_NAME>"
]
}
]
}
# Create the managed policy called DevS3ReadAccess
aws iam create-policy --policy-name DevS3ReadAccess --policy-document file://dev_s3_read_access.json
# Create Instance Profile and Attach Role to an EC2 Instance
# Attach Managed Policy to Role
aws iam attach-role-policy --role-name DEV_ROLE --policy-arn "<DevS3ReadAccess_POLICY_ARN>"
# Verify the managed policy was attached:
aws iam list-attached-role-policies --role-name DEV_ROLE
# Create the Instance Profile and Add the DEV_ROLE
aws iam create-instance-profile --instance-profile-name DEV_PROFILE
#Add role to the DEV_PROFILE called DEV_ROLE
aws iam add-role-to-instance-profile --instance-profile-name DEV_PROFILE --role-name DEV_ROLE
# Verify the configuration
aws iam get-instance-profile --instance-profile-name DEV_PROFILE
# Attach the DEV_PROFILE Role to an Instance
aws ec2 associate-iam-instance-profile --instance-id <LAB_WEB_SERVER_INSTANCE_ID> --iam-instance-profile Name="DEV_PROFILE"
# Verify the configuration
aws ec2 describe-instances --instance-ids <LAB_WEB_SERVER_INSTANCE_ID>
Like this:
Like Loading...
