📖 What is IAM Role?
An IAM role is an AWS identity granting temporary access to services and resources. Roles are designed for applications or services, not individual users, and define permissions through policies. They are assumed by entities needing access, eliminating the need for long-term credentials.
"Exam questions frequently test understanding of trust policies. A trust policy defines *who* can assume the role, while a permissions policy defines *what* the role can do. Distinguish roles from users; roles lack permanent credentials."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of IAM Role?
- ▸ IAM roles enable applications to access AWS resources without embedding long-term credentials, enhancing security and simplifying credential management.
- ▸ A trust policy defines which principals (AWS accounts, services, or users) are allowed to assume the role, controlling access at the identity level.
- ▸ Permissions policies attached to a role define the actions the role can perform on AWS resources, granting specific levels of access.
- ▸ Roles are crucial for cross-account access, allowing resources in one account to securely access resources in another account.
- ▸ The `sts:AssumeRole` API call is used by an entity to assume a role and obtain temporary security credentials.
🎯 How does IAM Role appear on the SAA-C03 Exam?
You may be asked to identify the best way for an EC2 instance to access S3 buckets in another AWS account, focusing on the use of IAM roles and trust relationships.
A scenario might describe an application running on ECS needing access to DynamoDB; expect questions about configuring an IAM role with the necessary permissions and trust policy.
Expect questions about troubleshooting access denied errors, where you must determine if the issue stems from incorrect permissions policies or a misconfigured trust policy.
❓ Frequently Asked Questions
What's the difference between a trust policy and a permissions policy?
The trust policy defines *who* can assume the role, specifying the principal. The permissions policy defines *what* actions the role can perform once assumed, granting access to resources.
Can an IAM user assume a role? If so, how?
Yes, an IAM user can assume a role using the AWS Management Console, CLI, or SDK, provided the user's IAM policy allows `sts:AssumeRole` and the role's trust policy allows the user's ARN.
When should I use an IAM role versus IAM user credentials?
Always prefer IAM roles for applications and services. Roles avoid storing long-term credentials on instances or in code, improving security. Use IAM users for individual human access.