Managing Roles

When we create an AWS account, no roles are created initially, so by clicking on the Roles section in IAM, we will get the Create Role dialogue presented to us. A brief explanation is also presented that outlines a way roles can be used. As we already mentioned at the beginning of this chapter, roles are not used to identify a unique user or service, but are rather designed to allow multiple entities that require the same level of access to assume the role and present temporary credentials that allow access to the service for a limited time. We have the ability to create up to 1,000 roles in IAM in our AWS account.

Let's go ahead and create a role by clicking on the Create role button:

When creating a role, we have the ability to create the following roles:

  • AWS service roles: These are assigned to AWS services so that they can access other AWS services without the need for storing credentials in the service itself. For instance, perhaps we have an EC2 instance running an application that needs to store session data in DynamoDB.
  • Another AWS account: Cross-account roles can be used to grant access to services in our account to other AWS accounts. This can be used for sharing administrative roles in multiple accounts owned by one enterprise, giving access to an external auditing company also using AWS and granting permissions with any other entities with which we share services or data.
  • Web identity role: We are able to create roles that grant access to users that are identified via a web identity such as Amazon, Amazon Cognito, Google, and Facebook, or other OpenID and SAML-compatible web identities. 
  • SAML 2.0 federation: Similarly to web identity, we can create roles that are assigned and grant access to users from our SAML 2.0-compatible corporate directories. 

By selecting EC2 and clicking Next: Permissions, we will initiate the creation of a simple EC2 role that will allow EC2 instances that assume this role to have access to DynmoDB:

We will search for the DynamoDB roles and select the AmazonDynamoDBFullAccess policy, then press the Next: Review button:

The last step is to name the role and click Create role:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset