🚀 Supercharge Your Career — Explore Preparation tools like Free AI Mock Interviews, Job Tracker, Resume & Cover Letter Builder, and much more!
DevOps
Cloud Infrastructure
Amazon Web Services
IAM Roles & Delegation

IAM Roles & Delegation

An IAM Role is a temporary identity you can assume to gain permissions. Unlike a User, a Role does not have a permanent password or access keys. Instead, it provides Temporary Security Credentials that automatically expire.

🎭 The Concept of "Hats"

Think of a User as a person's permanent identity, and a Role as a "Hat" or "Job Title" they can put on to perform specific tasks.

  • Who can wear the hat?: Defined by the Trust Policy.
  • What can they do while wearing it?: Defined by the Permissions Policy.

🛠️ Types of IAM Roles

AWS provides several types of roles depending on who or what needs the permissions.

1. Service Roles

Allows AWS services (like EC2 or Lambda) to perform actions on your behalf.

  • Example: Giving an EC2 instance permission to read files from an S3 bucket.

2. Cross-Account Roles

Allows a user from one AWS account to manage resources in another AWS account.

  • Example: A centralized Security account managing logs in multiple Developer accounts.

3. Federated Roles

Allows users to log in using external identities (Google, Facebook, or your company's Active Directory).

  • Example: Developers logging into the AWS Console using their corporate SSO credentials.

4. Service-Linked Roles

Special roles predefined by AWS that include all the permissions that a service requires to call other AWS services on your behalf.

⚖️ IAM Role vs. IAM User

FeatureIAM UserIAM Role
CredentialsLong-term (Password/API Keys)Temporary (Expires in minutes/hours)
AuthenticationDirect login"Assumed" by a trusted entity
Primary UseHumans (Interactive use)Applications, Services, or AWS-to-AWS
Risk ProfileHigh (if keys are leaked)Low (Credentials rotate automatically)

🔍 Common Troubleshooting

If a service or user cannot assume a role, check these three areas:

  1. The Trust Relationship: Ensure the entity (e.g., lambda.amazonaws.com) is explicitly listed in the role's Trust Policy.
  2. Missing Permissions: Ensure the Permissions Policy attached to the role actually allows the required action.
  3. Session Duration: If a script is failing halfway through, the IAM session might have expired. Roles can have sessions lasting from 1 to 12 hours.

[!TIP] STS (Security Token Service) When you "assume" a role, your application calls a hidden service called STS. STS returns a temporary Access Key, Secret Key, and Session Token. This is the technical engine that makes Roles possible.

Creating Users & MFAS3: Scalable Object Storage