Understanding AWS IAM Roles: A Guide for Developers

Published March 16, 2020 · by Eric Wilson · in aws

An introduction to AWS IAM Roles, a fundamental security tool. Learn what roles are, how they work, and why they are the secure way to grant permissions to your AWS resources and applications.

When you're building applications on AWS, one of the first security challenges you'll face is: how do I give my application (e.g., an EC2 instance or a Lambda function) permission to access other AWS services (like an S3 bucket)?

The wrong way to do this is to create an IAM user, generate access keys, and embed those keys in your application's configuration. This is a major security risk. If those keys ever leak, anyone can use them to access your account.

The right way to do this is with AWS IAM Roles.

What is an IAM Role?

An IAM Role is an IAM identity that you can create in your account that has specific permissions. Unlike an IAM user, a role is not associated with a specific person. Instead, it's intended to be assumed by a trusted entity, such as an AWS service, an application, or a user from another AWS account.

When an entity assumes a role, it is granted a set of temporary security credentials that it can use to make AWS API calls. These credentials expire automatically, which makes them much more secure than long-lived access keys.

How Do Roles Work? The Two Key Policies

An IAM Role is defined by two policies:

  1. Permissions Policy: This is a standard IAM identity-based policy that defines what the role is allowed to do. For example, it might grant permission to read from a specific S3 bucket (s3:GetObject) or write to a DynamoDB table (dynamodb:PutItem).

  2. Trust Policy: This is the most important part of a role. The trust policy defines who is allowed to assume the role. The entity that is allowed to assume the role is called the principal.

Example Trust Policy for an EC2 Instance:

This policy allows the EC2 service to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "ec2.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}

A Common Use Case: EC2 Instance Profile

Let's say you have a web application running on an EC2 instance that needs to read files from an S3 bucket.

  1. You create an IAM Role.
  2. You attach a permissions policy to the role that grants s3:GetObject permission for your specific bucket.
  3. You set the trust policy of the role to allow the EC2 service to assume it.
  4. You attach this role to your EC2 instance as an instance profile.

Now, when your application running on that EC2 instance makes a call to the AWS SDK, the SDK will automatically retrieve temporary credentials from the EC2 instance metadata service. These credentials are associated with the role, so your application can now successfully call GetObject on the S3 bucket, without you ever having to manage access keys.

Another Common Use Case: Lambda Execution Role

When you create an AWS Lambda function, you must assign it an execution role. This is the IAM role that the function will assume when it runs.

If your Lambda function needs to write logs to CloudWatch Logs, its execution role must have a permissions policy that allows the logs:CreateLogGroup, logs:CreateLogStream, and logs:PutLogEvents actions.

If the function needs to access a DynamoDB table, you would add the necessary DynamoDB permissions to the same role.

Why Roles are the Secure Choice

  • No Long-Lived Keys: Roles use temporary credentials that are automatically rotated. You never have to store or manage access keys in your application code or configuration files.
  • Principle of Least Privilege: You can create roles with very specific, fine-grained permissions for each of your application's components. An EC2 instance running a web server can have a different role than an instance processing data.
  • Auditable: All actions performed by a role are logged in AWS CloudTrail, so you can see exactly who is doing what.

Conclusion

IAM Roles are a fundamental building block for security on AWS. They are the standard, secure way to grant permissions to your AWS services and applications. By avoiding the use of long-lived IAM user access keys and instead using roles to grant temporary, specific permissions, you can build applications that are significantly more secure and easier to manage.

Back to All Blogs