IAM Role

IAM role is an identity that you may create in your account with specific permissions. Unlike IAM user which is specified to single user, IAM role can be assumed by anyone. Also, IAM role does not have long term credentials like password or credential keys. Instead, temporary security credentials will be provided when you assume role.

So how exactly can we use IAM Role? Let us consider normal cases - role switching. Role switching is the action where IAM role/user call different IAM role to collect the policies. This will be useful to delegate access to your AWS resources. In order to assume role, trust relationship should be made between two.

role_process

  1. Inside Production Account, Admin creates role UpdateApp that grants Development account to read/write to S3 productionapp bucket.
    1. Creating a role can be done by multiple methods, including console and CLI
  2. Then, inside Development Account, Admin will give Group: Developers a permission to assume the UpdateApp role
    1. This can be done by providing sts:AssumeRole action for the UpdateApp role
  3. Then, user inside Group: Developers switches to the role using either console by pressing Switch Role, or CLI by calling the AssumeRole function and ARN of the UpdateApp Role to obtain credentials.
  4. AWS STS (Security Token Service) will verify if the request is from trusted entity, and will provide temporary credentials
  5. Using this temporary credentials, user in Group:Developers can update productionapp bucket.

STS

AWS STS is a service to generate temporary security credentials. This has a default endpoint of https://sts.amazonaws.com.

So, how does STS work? STS works by calling API. There are several APIs that STS provide as actions, but I will mention only few that are essential

  • GetSessionToken
    • GetSessionToken will return a temporary credentials for an AWS account or IAM user. This is usually used when you are using MFA for credentials
  • GetAccessKeyInfo
    • This will return the account identifier for the specified access key ID. This means, this will return the number used to identify the account
  • GetCallerIdentity
    • This returns the details of IAM user/role that are used to call the operation. This includes Account, Arn, UserId
  • AssumeRole
    • This is the most essential action of STS. As explained earlier, AssumeRole is used to obtain temporary security credentials - access Key ID, secret access key and security token. When requesting, you need to provide RoleArn (ARN of role that you will assume), RoleSessionName (This session name is to uniquely identify a session when the same role is assumed by different principals or for different reasons. Usually, you provide something like username).
    • This will return AssumeRoleUser (ARN, assumed role ID and RoleSessionName), Credentials, PackedPolicySize (Packed size of the session policies and session tags combined passed in the request), and SourceIdentity (Who called it)
    • This credentials will last few minutes ~ hours based on how you configured

IRSA

IRSA is IAM roles for service accounts.

This is used in Kubernetes to provide pods an ability to access AWS resources using service account.

IRSA_process

IRSA will go through following process to get list of AWS S3 bucket inside application in top of pod.

  1. Application will request to get list of S3 bucket using AWS SDK. JWT and IAM Role ARN will be provided together.
  2. STS will verify to AWS IAM if temporary credentials can be provided
  3. Using IAM OIDC provider, this will verify if IAM role is annotated inside service account.
  4. IAM will respond that temporary credentials can be provided
  5. STS will provide temporary credentials, and pod can get a list of S3 buckets based on the temporary credentials

Reference

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html

https://cloudguardians.medium.com/aws-iam-role-roleswitch-d5da22dfeb30

https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html

https://dev.to/kasukur/how-to-delegate-access-across-aws-accounts-using-iam-roles-43ej

https://kim-dragon.tistory.com/279

https://always-kimkim.tistory.com/entry/trust-relationship-assume-role