How to create an IAM role using the AWS Management Console?
AWS IAM (Identity and Access Management) is a web service facilitated by Amazon that helps the user in securely controlling access to the resources of AWS. IAM can be used to control who gets authenticated to sign-in and who gets the authorization (has permissions) to use the resources provisioned by AWS.
An IAM role can be created with the help of AWS Management Console, AWS CLI, Tools for Windows PowerShell or IAM API.
If AWS Management Console is used to create an IAM role, a wizard guides the user through the entire steps. The steps while using the Console are slightly different in comparison to other methods. In this post, we will look at the steps to create an IAM role using the AWS Management Console.
- Sign in to the AWS Management Console.
- Open the IAM console.
- In the navigation pane of the console, click on the ‘Roles’ and choose ‘Create role’ option.
- Click on ‘Another AWS account’ role type.
- For the ‘Account ID’, type the AWS Account ID to which permissions need to be granted so that it can use the resources.
- The administrator of the account has the ability to grant permission to give this role to any IAM user of that account.
- For this, the administrator binds a policy to a user or a group so that it can grant permission to perform that specific action. The policy should specify the role’s ARN as ‘resource’.
- If a user is trying to grant permission to other users from an account over which they don’t have control, the user has to take up this role programmatically, hence click on ‘Require external ID’:
- The external ID could be any word or a number that is agreed upon mutually by the user and the administrator of that third-party account.
- This option automatically puts in a condition to the trust policy so that the user gets permission to take up the role only if the request (which the user sends) has that specific external ID.
- If the user wishes to restrict this role to users who can sign-in with a multi-factor authentication (MFA), click on ‘Require MFA’. This way, a condition is added to the trust policy of the role and it checks for MFA every time a user tries to sign-in and then take up the role. The user will get a temporary one-time-password which is sent from a configured MFA device without which a user can’t take up a role.
- Click on ‘Next:Permissions’
- IAM consists of a list of AWS managed policies and customer managed policies in the user account. A policy can be chosen from this or click on ‘Create Policy’ to open a new browser tab and create a new policy.
- Once the policy has been created, the browser tab can be closed, and the user needs to return to the original tab.
- Click on the check box which is present next to the permission policies, thereby indicating that the specific user has the permission to take up the role.
- The policies can be attached to a role at later point in time. By default, a user has no permission to take up any role.
- A ‘permission boundary’ can be set up, which is an option (advanced) feature.
- Choose ‘Next: Tags’.
- Metadata can be attached to the role by providing tags in the form of key-value pairs. This step is an optional one.
- Now click on ‘Next: Review’.
- Provide a role name in the ‘Role name’ tab.
- A role description can be provided, which is optional.
- Review the role and click on ‘Create role’.
Note: Every user should be given trusted account permission to take up a role.