AWS IAM (Identity and Access Management) is a web service facilitated by Amazon that helps the user in securely controlling access to the resources of AWS. IAM can be used to control who gets authenticated to sign-in and who gets the authorization (has permissions) to use the resources provisioned by AWS.
An IAM role can be created with the help of AWS Management Console, AWS CLI, Tools for Windows PowerShell or IAM API.
If AWS Management Console is used to create an IAM role, a wizard guides the user through the entire steps. The steps while using the Console are slightly different in comparison to other methods.
IAM identities are created to provide authentication to people and process in the AWS accounts.
IAM root user
When an AWS account is created for the first time, the user signs in with a single identity which has access to all the AWS services and resources in the account. This identity is known as ‘AWS account root user’. This root user can be accessed by signing in with the email address and password that was used while creation of the account.
The root user is not recommended to be used for everyday tasks, not even the administrative ones. The root user has to be securely locked away and used only to perform specific account and service management related tasks.
The entity which is created in the AWS account is an IAM user, which represents a person or a service that uses IAM user to interact with AWS. One of the uses of IAM users is to provide people the ability to sign into their AWS Management Console to perform interactive task and programmatic request to other Amazon services with the help of an API or using the CLI.
A user has a name, a password that is used to sign into the AWS Management Console and about 2 access keys which can be used in conjunction with the API or CLI. When an IAM user is created, it can be granted certain permissions after it has been made as a member if a group which has the appropriate permission policies attached to it, or by directly attaching the policies to the user.
Permissions can be cloned from an existing IAM user which will automatically make the new user as a member of the same group, and attaches the policies to the user.
It is a collection of IAM users, which is made to specify permissions for a specific collection of users. This makes it easy to manage the permissions for those users. If a permission is assigned to a group, any user of that group automatically has the same permissions.
In this post, we understood the different identities which can be assigned to an IAM user.
IAM role is similar to user, since it is an identity which provides permission policies which are used to determine the operations which the identity can do within AWS. A role doesn’t have any credentials, such as password or access keys attached to it. It can be uniquely associated with a user since a role is basically used to be assumed by a user for a specific task or when need. An IAM user can assume a specific role to be granted specific permissions to perform specific tasks. A role can be assigned to a federated user who can sign in with the help of an external identity provider instead of using IAM. AWS uses the details passed via the identity provider so as to determine the role that can be mapped to the federated user.
An application that runs on Amazon Elastic Cloud Compute (EC2) instance and makes requests to AWS: An IAM role can be created that can be attached to the EC2 instance so as to provide temporary security credentials to the applications which run on this instance. When an application uses these credentials in AWS, it gets the ability to perform all operations that would be allowed by the policies which are attached to the role.
An application that runs on mobile and makes requests to AWS: An identity provider such as Login with Amazon, or Amazon Cognito or Facebook or Google can be used to authenticate users and map them to an IAM role. Applications can be used to provide the role with temporary security credentials which have the required permissions (based on the policies that are attached to the role).