# Methods to assume a role
Methods to assume a role
Before a user, application, or service can use a role that you created, you must [grant permissions to switch](id_roles_use_permissions-to-switch.md) to the role. You can use any policy attached to groups or users to grant the necessary permissions. After permissions are granted, the user can assume a role from the AWS Management Console, the Tools for Windows PowerShell, the AWS Command Line Interface (AWS CLI) and the [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API.
**Important**
When you create a role programmatically instead of in the IAM console, you have an option to add a `Path` of up to 512 characters in addition to the `RoleName`, which can be up to 64 characters long. However, if you intend to use a role with the **Switch Role** feature in the AWS Management Console, then the combined `Path` and `RoleName` cannot exceed 64 characters.
The method used to assume the role determines who can assume the role and how long the role session can last. When using `AssumeRole*` API operations, the IAM role that you assume is the resource. The user or role that calls `AssumeRole*` API operations is the principal.
The following table compares methods for assuming roles.
| Method of assuming the role | **Who can assume the role** | **Method to specify credential lifetime** | **Credential lifetime (min \$1 max \$1 default)** |
| --- | --- | --- | --- |
| AWS Management Console | User or roles¹(by [switching roles](id_roles_use_switch-role-console.md)) | Maximum session duration on the Role Summary page | 15m \$1 Maximum session duration setting² \$1 1hr |
| [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html) CLI or [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operation | User or role¹ | duration-seconds CLI or DurationSeconds API parameter | 15m \$1 Maximum session duration setting² \$1 1hr |
| [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-saml.html) CLI or [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html) API operation | Any user authenticated using SAML | duration-seconds CLI or DurationSeconds API parameter | 15m \$1 Maximum session duration setting² \$1 1hr |
| [https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html) CLI or [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) API operation | Any user authenticated using an OIDC provider | duration-seconds CLI or DurationSeconds API parameter | 15m \$1 Maximum session duration setting² \$1 1hr |
| [Console URL](id_roles_providers_enable-console-custom-url.md) constructed with AssumeRole | User or role | SessionDuration HTML parameter in the URL | 15m \$1 12hr \$1 1hr |
| [Console URL](id_roles_providers_enable-console-custom-url.md) constructed with AssumeRoleWithSAML | Any user authenticated using SAML | SessionDuration HTML parameter in the URL | 15m \$1 12hr \$1 1hr |
| [Console URL](id_roles_providers_enable-console-custom-url.md) constructed with AssumeRoleWithWebIdentity | Any user authenticated using an OIDC provider | SessionDuration HTML parameter in the URL | 15m \$1 12hr \$1 1hr |
¹ Using the credentials from one role to assume a different role is called [role chaining](id_roles.md#iam-term-role-chaining). When you use role chaining, the role's session duration is limited to one hour. This applies to AWS Management Console role switching, AWS CLI, and API operations. This limitation does not apply to the initial assumption of a role from user credentials, or to applications running on Amazon EC2 instances using instance profiles.
² This setting can have a value from 1 hour to 12 hours. For details about modifying the maximum session duration setting, see [IAM role management](id_roles_manage.md). This setting determines the maximum session duration that you can request when you get the role credentials. For example, when you use the [AssumeRole\$1](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operations to assume a role, you can specify a session length using the `DurationSeconds` parameter. Use this parameter to specify the length of the role session from 900 seconds (15 minutes) up to the maximum session duration setting for the role. IAM users who switch roles in the console are granted the maximum session duration, or the remaining time in their user session, whichever is less. Assume that you set a maximum duration of 5 hours on a role. An IAM user that has been signed into the console for 10 hours (out of the default maximum of 12) switches to the role. The available role session duration is 2 hours. To learn how to view the maximum value for your role, see [Update the maximum session duration for a role](id_roles_update-role-settings.md#id_roles_update-session-duration) later in this page.
**Notes**
The maximum session duration setting does not limit sessions that are assumed by AWS services.
Amazon EC2 IAM role credentials are not subject to the maximum session duration configured in the role.
To allow users to assume the current role again within a role session, specify the role ARN or AWS account ARN as a principal in the role trust policy. AWS services that provide compute resources such as Amazon EC2, Amazon ECS, Amazon EKS, and Lambda provide temporary credentials and automatically update these credentials. This ensures that you always have a valid set of credentials. For these services, it's not necessary to assume the current role again to obtain temporary credentials. However, if you intend to pass [session tags](id_session-tags.md) or a [session policy](access_policies.md#policies_session), you need to assume the current role again. To learn how to modify a role trust policy to add the principal role ARN or AWS account ARN, see [Update a role trust policy](id_roles_update-role-trust-policy.md).
**Topics**
+ [
# Switch from a user to an IAM role (console)
](id_roles_use_switch-role-console.md)
+ [
# Switch to an IAM role (AWS CLI)
](id_roles_use_switch-role-cli.md)
+ [
# Switch to an IAM role (Tools for Windows PowerShell)
](id_roles_use_switch-role-twp.md)
+ [
# Switch to an IAM role (AWS API)
](id_roles_use_switch-role-api.md)
+ [
# Use an IAM role to grant permissions to applications running on Amazon EC2 instances
](id_roles_use_switch-role-ec2.md)
+ [
# Use instance profiles
](id_roles_use_switch-role-ec2_instance-profiles.md)
# Switch from a user to an IAM role (console)
Switch from a user to a role
You can switch roles when you sign in as an IAM user, a user in IAM Identity Center, a SAML-federated role, or a web-identity federated role. A *role* specifies a set of permissions that you can use to access AWS resources that you need. However, you don't sign in to a role, but once signed in as an IAM user you can switch to an IAM role. This temporarily sets aside your original user permissions and instead gives you the permissions assigned to the role. The role can be in your own account or any other AWS account. For more information about roles, their benefits, and how to create them, see [IAM roles](id_roles.md), and [IAM role creation](id_roles_create.md).
The permissions of your user and any roles that you switch to aren't cumulative. Only one set of permissions is active at a time. When you switch to a role, you temporarily give up your user permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.
When you switch roles in the AWS Management Console, the console always uses your original credentials to authorize the switch. For example, if you switch to RoleA, IAM uses your original credentials to determine whether you are allowed to assume RoleA. If you then switch to RoleB *while you are using RoleA*, AWS still uses your **original** credentials to authorize the switch, not the credentials for RoleA.
**Note**
When you sign in as a user in IAM Identity Center, as a SAML-federated role, or as a web-identity federated role you assume an IAM role when you start your session. For example, when a user in IAM Identity Center signs in to the AWS access portal they must choose a permission set that correlates to a role before they can access AWS resources.
## Role sessions
When you switch roles, your AWS Management Console session lasts for 1 hour by default. IAM user sessions are 12 hours by default, other users might have different session durations defined. When you switch roles in the console, you are granted the role maximum session duration, or the remaining time in your user session, whichever is less. You can't extend your session duration by assuming a role.
For example, assume that a maximum session duration of 10 hours is set for a role. You have been signed in to the console for 8 hours when you decide to switch to the role. There are 4 hours remaining in your user session, so the allowed role session duration is 4 hours, not the maximum session duration of 10 hours. The following table shows how to determine the session duration for an IAM user when switching roles in the console.
| IAM user session time remaining is… | Role session duration is… |
| --- | --- |
| Less than role maximum session duration | Time remaining in user session |
| Greater than role maximum session duration | Maximum session duration value |
| Equal to role maximum session duration | Maximum session duration value (approximate) |
Using the credentials from one role to assume a different role is called [role chaining](id_roles.md#iam-term-role-chaining). When you use role chaining, the session duration is limited to one hour, regardless of the maximum session duration setting configured for individual roles. This applies to AWS Management Console role switching, AWS CLI, and API operations.
**Note**
Some AWS service consoles can autorenew your role session when it expires without you taking any action. Some might prompt you to reload your browser page to reauthenticate your session.
## Considerations
+ You can't switch roles if you sign in as the AWS account root user.
+ Users must be granted permission to switch roles by policy. For instructions, see [Grant a user permissions to switch roles](id_roles_use_permissions-to-switch.md).
+ You can't switch roles in the AWS Management Console to a role that requires an [ExternalId](id_roles_common-scenarios_third-party.md#id_roles_third-party_external-id) value. You can switch to such a role only by calling the [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API that supports the `ExternalId` parameter.
## To switch to a role
1. Follow the sign-in procedure appropriate to you user type as described in [Sign in to the AWS Management Console](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
1. In the AWS Management Console, choose your user name on the navigation bar in the upper right. It typically looks like this: ***username*@*account\$1ID\$1number\$1or\$1alias***.
1. Select one of the following methods to switch roles:
+ Choose **Switch role**.
+ If you have opted in to multi-session support, choose **Add session** and select **Switch role**.
**Note**
You can sign in to up to five different identities simultaneously in a single web browser in the AWS Management Console. For details, see [Signing in to multiple accounts](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/multisession.html) in the *AWS Management Console Getting Started Guide*.
1. On the **Switch Role** page, type the account ID number or the account alias and the name of the role that was provided by your administrator.
**Note**
If your administrator created the role with a path, such as `division_abc/subdivision_efg/roleToDoX`, then you must type that complete path and name in the **Role** box. If you type only the role name, or if the combined `Path` and `RoleName` exceed 64 characters, the role switch fails. This is a limit of the browser cookies that store the role name. If this happens, contact your administrator and ask them to reduce the size of the path and role name.
1. (Optional)You can enter a display name and select a display color that will highlight the role in the console navigation bar.
+ For **Display name**, type text that you want to appear on the navigation bar in place of your user name when this role is active. A name is suggested, based on the account and role information, but you can change it to whatever has meaning for you.
+ For **Display color**, select a color to highlight the display name.
The name and color can help remind you when this role is active, which changes your permissions. For example, for a role that gives you access to the test environment, you might specify a **Display name** of **Test** and select the green **Color**. For the role that gives you access to production, you might specify a **Display name** of **Production** and select red as the **Color**.
1. Choose **Switch Role**. The display name and color replace your user name on the navigation bar, and you can start using the permissions that the role grants you.
1. After you have completed the tasks that require the IAM role you can switch back to your original session. This will remove the additional permissions provided by the role and return you to your standard permissions.
1. In the IAM console, choose your role's **Display name** on the navigation bar in the upper right.
1. Choose **Switch back**.
For example, assume you are signed in to account number `123456789012` using the user name `Richard`. After you use the `admin-role` role, you want to stop using the role and return to your original permissions. To stop using the role, you choose **admin-role @ 123456789012**, and then choose **Switch back**.
![\[Graphic locating the Switch back function to stop using an IAM role and return to the original user.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/role-stop-using.png)
**Tip**
The last several roles that you used appear on the menu. The next time you want to switch to one of those roles, you can simply choose the role you want. You are only required to type the account and role information manually if the role isn't displayed on the menu.
## Additional resources
+ [Grant a user permissions to switch roles](id_roles_use_permissions-to-switch.md)
+ [Grant a user permissions to pass a role to an AWS service](id_roles_use_passrole.md)
+ [Create a role to give permissions to an IAM user](id_roles_create_for-user.md)
+ [Create a role to delegate permissions to an AWS service](id_roles_create_for-service.md)
+ [Troubleshoot IAM roles](troubleshoot_roles.md)
# Switch to an IAM role (AWS CLI)
Switch roles (AWS CLI)
A *role* specifies a set of permissions that you can use to access AWS resources that you need. In that sense, it is similar to a [user in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) (IAM). When you sign in as a user, you get a specific set of permissions. However, you don't sign in to a role, but after signing in as a user, you can switch to a role. This temporarily sets aside your original user permissions and instead gives you the permissions assigned to the role. The role can be in your own account or any other AWS account. For more information about roles, their benefits, and how to create and configure them, see [IAM roles](id_roles.md), and [IAM role creation](id_roles_create.md). To learn about the different methods that you can use to assume a role, see [Methods to assume a role](id_roles_manage-assume.md).
**Important**
The permissions of your IAM user and any roles that you assume are not cumulative. Only one set of permissions is active at a time. When you assume a role, you temporarily give up your previous user or role permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.
You can use a role to run an AWS CLI command when you are signed in as an IAM user. You can also use a role to run an AWS CLI command when you are signed in as an [externally authenticated user](id_roles_providers.md) ([SAML](id_roles_providers_saml.md) or [OIDC](id_roles_providers_oidc.md)) that is already using a role. In addition, you can use a role to run an AWS CLI command from within an Amazon EC2 instance that is attached to a role through its instance profile. You cannot assume a role when you are signed in as the AWS account root user.
[**Role chaining**](id_roles.md#iam-term-role-chaining) – You can also use role chaining, which is using permissions from a role to access a second role.
By default, your role session lasts for one hour. When you assume this role using the `assume-role*` CLI operations, you can specify a value for the `duration-seconds` parameter. This value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. If you switch roles in the console, your session duration is limited to maximum of one hour. To learn how to view the maximum value for your role, see [Update the maximum session duration for a role](id_roles_update-role-settings.md#id_roles_update-session-duration).
If you use role chaining, your session duration is limited to a maximum of one hour. If you then use the `duration-seconds` parameter to provide a value greater than one hour, the operation fails.
## Example scenario: Switch to a production role
Imagine that you are an IAM user for working in the development environment. In this scenario, you occasionally need to work with the production environment at the command line with the [AWS CLI](http://aws.amazon.com/cli/). You already have an access key credential set available to you. This can be the access key pair that is assigned to your standard IAM user. Or, if you signed in as a SAML or OIDC federated principal, it can be the access key pair for the role that was initially assigned to you. If your current permissions grant you the ability to assume a specific IAM role, then you can identify that role in a "profile" in the AWS CLI configuration files. That command is then run with the permissions of the specified IAM role, not the original identity. Note that when you specify that profile in an AWS CLI command, you are using the new role. In this situation, you cannot make use of your original permissions in the development account at the same time. The reason is that only one set of permissions can be in effect at a time.
**Note**
For security purposes, administrators can [review AWS CloudTrail logs](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds) to learn who performed an action in AWS. Your administrator might require that you specify a source identity or a role session name when you assume the role. For more information, see [`sts:SourceIdentity`](reference_policies_iam-condition-keys.md#ck_sourceidentity) and [`sts:RoleSessionName`](reference_policies_iam-condition-keys.md#ck_rolesessionname).
**To switch to a production role (AWS CLI)**
1. If you have never used the AWS CLI, then you must first configure your default CLI profile. Open a command prompt and set up your AWS CLI installation to use the access key from your IAM user or from your federated role. For more information, see [Configuring the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-quick-configuration) in the *AWS Command Line Interface User Guide*.
Run the [aws configure](https://docs.aws.amazon.com/cli/latest/reference/configure/) command as follows:
```
aws configure
```
When prompted, provide the following information:
```
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-east-2
Default output format [None]: json
```
1. Create a new profile for the role in the `.aws/config` file in Unix or Linux, or the `C:\Users\USERNAME\.aws\config` file in Windows. The following example creates a profile called `prodaccess` that switches to the role `ProductionAccessRole` in the `123456789012` account. You get the role ARN from the account administrator who created the role. When this profile is invoked, the AWS CLI uses the credentials of the `source_profile` to request credentials for the role. Because of that, the identity referenced as the `source_profile` must have `sts:AssumeRole` permissions to the role that is specified in the `role_arn`.
```
[profile prodaccess]
role_arn = arn:aws:iam::123456789012:role/ProductionAccessRole
source_profile = default
```
1. After you create the new profile, any AWS CLI command that specifies the parameter `--profile prodaccess` runs under the permissions that are attached to the IAM role `ProductionAccessRole` instead of the default user.
```
aws iam list-users --profile prodaccess
```
This command works if the permissions assigned to the `ProductionAccessRole` enable listing the users in the current AWS account.
1. To return to the permissions granted by your original credentials, run commands without the `--profile` parameter. The AWS CLI reverts to using the credentials in your default profile, which you configured in [Step 1](#step-configure-default).
For more information, see [Assuming a Role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) in the *AWS Command Line Interface User Guide*.
## Example scenario: Allow an instance profile role to switch to a role in another account
Imagine that you are using two AWS accounts, and you want to allow an application running on an Amazon EC2 instance to run [AWS CLI](http://aws.amazon.com/cli/) commands in both accounts. Assume that the EC2 instance exists in account `111111111111`. That instance includes the `abcd` instance profile role that allows the application to perform read-only Amazon S3 tasks on the `amzn-s3-demo-bucket1` bucket within the same `111111111111` account. However, the application must also be allowed to assume the `efgh` cross-account role to perform tasks in account `222222222222`. To do this, the `abcd` EC2 instance profile role must have the following permissions policy:
***Account 111111111111 `abcd` role permissions policy***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1/*",
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
},
{
"Sid": "AllowIPToAssumeCrossAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222222222:role/efgh"
}
]
}
```
------
Assume that the `efgh` cross-account role allows read-only Amazon S3 tasks on the `amzn-s3-demo-bucket2` bucket within the same `222222222222` account. To do this, the `efgh` cross-account role must have the following permissions policy:
***Account 222222222222 `efgh` role permissions policy***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket2/*",
"arn:aws:s3:::amzn-s3-demo-bucket2"
]
}
]
}
```
------
The `efgh` role must allow the `abcd` instance profile role to assume it. To do this, the `efgh` role must have the following trust policy:
***Account 222222222222 `efgh` role trust policy***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "efghTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::111111111111:role/abcd"}
}
]
}
```
------
To then run AWS CLI commands in account `222222222222`, you must update the CLI configuration file. Identify the `efgh` role as the "profile" and the `abcd` EC2 instance profile role as the "credential source" in the AWS CLI configuration file. Then your CLI commands are run with the permissions of the `efgh` role, not the original `abcd` role.
**Note**
For security purposes, you can use AWS CloudTrail to audit the use of roles in the account. To differentiate between role sessions when a role is used by different principals in CloudTrail logs, you can use the role session name. When the AWS CLI assumes a role on a user's behalf as described in this topic, a role session name is automatically created as `AWS-CLI-session-nnnnnnnn`. Here *nnnnnnnn* is an integer that represents the time in [Unix epoch time](http://wikipedia.org/wiki/Unix_time) (the number of seconds since midnight UTC on January 1, 1970). For more information, see [CloudTrail Event Reference](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/eventreference.html) in the *AWS CloudTrail User Guide*.
**To allow an EC2 instance profile role to switch to a cross-account role (AWS CLI)**
1. You do not have to configure a default CLI profile. Instead, you can load credentials from the EC2 instance profile metadata. Create a new profile for the role in the `.aws/config` file. The following example creates an `instancecrossaccount` profile that switches to the role `efgh` in the `222222222222` account. When this profile is invoked, the AWS CLI uses the credentials of the EC2 instance profile metadata to request credentials for the role. Because of that, the EC2 instance profile role must have `sts:AssumeRole` permissions to the role specified in the `role_arn`.
```
[profile instancecrossaccount]
role_arn = arn:aws:iam::222222222222:role/efgh
credential_source = Ec2InstanceMetadata
```
1. After you create the new profile, any AWS CLI command that specifies the parameter `--profile instancecrossaccount` runs under the permissions that are attached to the `efgh` role in account `222222222222`.
```
aws s3 ls amzn-s3-demo-bucket2 --profile instancecrossaccount
```
This command works if the permissions that are assigned to the `efgh` role allow listing the users in the current AWS account.
1. To return to the original EC2 instance profile permissions in account `111111111111`, run the CLI commands without the `--profile` parameter.
For more information, see [Assuming a Role](https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html) in the *AWS Command Line Interface User Guide*.
# Switch to an IAM role (Tools for Windows PowerShell)
Switch roles (Tools for Windows PowerShell)
A *role* specifies a set of permissions that you can use to access AWS resources that you need. In that sense, it is similar to a [user in AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) (IAM). When you sign in as a user, you get a specific set of permissions. However, you don't sign in to a role, but once signed in you can switch to a role. This temporarily sets aside your original user permissions and instead gives you the permissions assigned to the role. The role can be in your own account or any other AWS account. For more information about roles, their benefits, and how to create and configure them, see [IAM roles](id_roles.md), and [IAM role creation](id_roles_create.md).
**Important**
The permissions of your IAM user and any roles that you switch to are not cumulative. Only one set of permissions is active at a time. When you switch to a role, you temporarily give up your user permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.
This section describes how to switch roles when you work at the command line with the AWS Tools for Windows PowerShell.
Imagine that you have an account in the development environment and you occasionally need to work with the production environment at the command line using the [Tools for Windows PowerShell](http://aws.amazon.com/powershell/). You already have one access key credential set available to you. These can be an access key pair assigned to your standard IAM user. Or, if you signed-in as a SAML or OIDC federated principal, they can be the access key pair for the role initially assigned to you. You can use these credentials to run the `Use-STSRole` cmdlet that passes the ARN of a new role as a parameter. The command returns temporary security credentials for the requested role. You can then use those credentials in subsequent PowerShell commands with the role's permissions to access resources in production. While you use the role, you cannot use your user permissions in the Development account because only one set of permissions is in effect at a time.
**Note**
For security purposes, administrators can [review AWS CloudTrail logs](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds) to learn who performed an action in AWS. Your administrator might require that you specify a source identity or a role session name when you assume the role. For more information, see [`sts:SourceIdentity`](reference_policies_iam-condition-keys.md#ck_sourceidentity) and [`sts:RoleSessionName`](reference_policies_iam-condition-keys.md#ck_rolesessionname).
Note that all access keys and tokens are examples only and cannot be used as shown. Replace with the appropriate values from your live environment.
**To switch to a role (Tools for Windows PowerShell)**
1. Open a PowerShell command prompt and configure the default profile to use the access key from your current IAM user or from your federated role. If you have previously used the Tools for Windows PowerShell, then this is likely already done. Note that you can switch roles only if you are signed in as an IAM user, not the AWS account root user.
```
PS C:\> Set-AWSCredentials -AccessKey AKIAIOSFODNN7EXAMPLE -SecretKey wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY -StoreAs MyMainUserProfile
PS C:\> Initialize-AWSDefaults -ProfileName MyMainUserProfile -Region us-east-2
```
For more information, see [Using AWS Credentials](https://docs.aws.amazon.com/powershell/latest/userguide/specifying-your-aws-credentials.html) in the *AWS Tools for PowerShell User Guide*.
1. To retrieve credentials for the new role, run the following command to switch to the `RoleName` role in the 123456789012 account. You get the role ARN from the account administrator who created the role. The command requires that you provide a session name as well. You can choose any text for that. The following command requests the credentials and then captures the `Credentials` property object from the returned results object and stores it in the `$Creds` variable.
```
PS C:\> $Creds = (Use-STSRole -RoleArn "arn:aws:iam::123456789012:role/RoleName" -RoleSessionName "MyRoleSessionName").Credentials
```
`$Creds` is an object that now contains the `AccessKeyId`, `SecretAccessKey`, and `SessionToken` elements that you need in the following steps. The following sample commands illustrate typical values:
```
PS C:\> $Creds.AccessKeyId
AKIAIOSFODNN7EXAMPLE
PS C:\> $Creds.SecretAccessKey
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
PS C:\> $Creds.SessionToken
AQoDYXdzEGcaEXAMPLE2gsYULo+Im5ZEXAMPLEeYjs1M2FUIgIJx9tQqNMBEXAMPLECvSRyh0FW7jEXAMPLEW+vE/7s1HRp
XviG7b+qYf4nD00EXAMPLEmj4wxS04L/uZEXAMPLECihzFB5lTYLto9dyBgSDyEXAMPLE9/g7QRUhZp4bqbEXAMPLENwGPy
Oj59pFA4lNKCIkVgkREXAMPLEjlzxQ7y52gekeVEXAMPLEDiB9ST3UuysgsKdEXAMPLE1TVastU1A0SKFEXAMPLEiywCC/C
s8EXAMPLEpZgOs+6hz4AP4KEXAMPLERbASP+4eZScEXAMPLEsnf87eNhyDHq6ikBQ==
PS C:\> $Creds.Expiration
Thursday, June 18, 2018 2:28:31 PM
```
1. To use these credentials for any subsequent command, include them with the `-Credential` parameter. For example, the following command uses the credentials from the role and works only if the role is granted the `iam:ListRoles` permission and can therefore run the `Get-IAMRoles` cmdlet:
```
PS C:\> get-iamroles -Credential $Creds
```
1. To return to your original credentials, simply stop using the `-Credentials $Creds` parameter and allow PowerShell to revert to the credentials that are stored in the default profile.
# Switch to an IAM role (AWS API)
Switch roles (AWS API)
A *role* specifies a set of permissions that you can use to access AWS resources. In that sense, it is similar to an [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html). A principal (person or application) assumes a role to receive temporary permissions to carry out required tasks and interact with AWS resources. The role can be in your own account or any other AWS account. For more information about roles, their benefits, and how to create and configure them, see [IAM roles](id_roles.md), and [IAM role creation](id_roles_create.md). To learn about the different methods that you can use to assume a role, see [Methods to assume a role](id_roles_manage-assume.md).
**Important**
The permissions of your IAM user and any roles that you assume are not cumulative. Only one set of permissions is active at a time. When you assume a role, you temporarily give up your previous user or role permissions and work with the permissions that are assigned to the role. When you exit the role, your original permissions are automatically restored.
To assume a role, an application calls the AWS STS [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operation and passes the ARN of the role to use. The operation creates a new session with temporary credentials. This session has the same permissions as the identity-based policies for that role.
When you call [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html), you can optionally pass inline or managed [session policies](access_policies.md#policies_session). Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary credential session for a role or federated user session. You can pass a single JSON inline session policy document using the `Policy` parameter. You can use the `PolicyArns` parameter to specify up to 10 managed session policies. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies are useful when you need to give the role's temporary credentials to someone else. They can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy. To learn more about how AWS determines the effective permissions of a role, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
![\[PermissionsWhenPassingRoles_Diagram\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/role_passed_policy_permissions.png)
You can call `AssumeRole` when you are signed in as an IAM user, or as an [externally authenticated user](id_roles_providers.md) ([SAML](id_roles_providers_saml.md) or [OIDC](id_roles_providers_oidc.md)) already using a role. You can also use [*role chaining*](id_roles.md#iam-term-role-chaining), which is using a role to assume a second role. You cannot assume a role when you are signed in as the AWS account root user.
By default, your role session lasts for one hour. When you assume this role using the AWS STS [https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API operations, you can specify a value for the `DurationSeconds` parameter. This value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. To learn how to view the maximum value for your role, see [Update the maximum session duration for a role](id_roles_update-role-settings.md#id_roles_update-session-duration).
If you use role chaining, your session is limited to a maximum of one hour. If you then use the `DurationSeconds` parameter to provide a value greater than one hour, the operation fails.
**Note**
For security purposes, administrators can [review AWS CloudTrail logs](cloudtrail-integration.md#cloudtrail-integration_signin-tempcreds) to learn who performed an action in AWS. Your administrator might require that you specify a source identity or a role session name when you assume the role. For more information, see [`sts:SourceIdentity`](reference_policies_iam-condition-keys.md#ck_sourceidentity) and [`sts:RoleSessionName`](reference_policies_iam-condition-keys.md#ck_rolesessionname).
The following code examples show how to create a user and assume a role.
**Warning**
To avoid security risks, don't use IAM users for authentication when developing purpose-built software or working with real data. Instead, use federation with an identity provider such as [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html).
+ Create a user with no permissions.
+ Create a role that grants permission to list Amazon S3 buckets for the account.
+ Add a policy to let the user assume the role.
+ Assume the role and list S3 buckets using temporary credentials, then clean up resources.
------
#### [ .NET ]
**SDK for .NET**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/IAM#code-examples).
```
global using Amazon.IdentityManagement;
global using Amazon.S3;
global using Amazon.SecurityToken;
global using IAMActions;
global using IamScenariosCommon;
global using Microsoft.Extensions.DependencyInjection;
global using Microsoft.Extensions.Hosting;
global using Microsoft.Extensions.Logging;
global using Microsoft.Extensions.Logging.Console;
global using Microsoft.Extensions.Logging.Debug;
namespace IAMActions;
public class IAMWrapper
{
private readonly IAmazonIdentityManagementService _IAMService;
///
/// Constructor for the IAMWrapper class.
///
/// An IAM client object.
public IAMWrapper(IAmazonIdentityManagementService IAMService)
{
_IAMService = IAMService;
}
///
/// Attach an IAM policy to a role.
///
/// The policy to attach.
/// The role that the policy will be attached to.
/// A Boolean value indicating the success of the action.
public async Task AttachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.AttachRolePolicyAsync(new AttachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Create an IAM access key for a user.
///
/// The username for which to create the IAM access
/// key.
/// The AccessKey.
public async Task CreateAccessKeyAsync(string userName)
{
var response = await _IAMService.CreateAccessKeyAsync(new CreateAccessKeyRequest
{
UserName = userName,
});
return response.AccessKey;
}
///
/// Create an IAM policy.
///
/// The name to give the new IAM policy.
/// The policy document for the new policy.
/// The new IAM policy object.
public async Task CreatePolicyAsync(string policyName, string policyDocument)
{
var response = await _IAMService.CreatePolicyAsync(new CreatePolicyRequest
{
PolicyDocument = policyDocument,
PolicyName = policyName,
});
return response.Policy;
}
///
/// Create a new IAM role.
///
/// The name of the IAM role.
/// The name of the IAM policy document
/// for the new role.
/// The Amazon Resource Name (ARN) of the role.
public async Task CreateRoleAsync(string roleName, string rolePolicyDocument)
{
var request = new CreateRoleRequest
{
RoleName = roleName,
AssumeRolePolicyDocument = rolePolicyDocument,
};
var response = await _IAMService.CreateRoleAsync(request);
return response.Role.Arn;
}
///
/// Create an IAM service-linked role.
///
/// The name of the AWS Service.
/// A description of the IAM service-linked role.
/// The IAM role that was created.
public async Task CreateServiceLinkedRoleAsync(string serviceName, string description)
{
var request = new CreateServiceLinkedRoleRequest
{
AWSServiceName = serviceName,
Description = description
};
var response = await _IAMService.CreateServiceLinkedRoleAsync(request);
return response.Role;
}
///
/// Create an IAM user.
///
/// The username for the new IAM user.
/// The IAM user that was created.
public async Task CreateUserAsync(string userName)
{
var response = await _IAMService.CreateUserAsync(new CreateUserRequest { UserName = userName });
return response.User;
}
///
/// Delete an IAM user's access key.
///
/// The Id for the IAM access key.
/// The username of the user that owns the IAM
/// access key.
/// A Boolean value indicating the success of the action.
public async Task DeleteAccessKeyAsync(string accessKeyId, string userName)
{
var response = await _IAMService.DeleteAccessKeyAsync(new DeleteAccessKeyRequest
{
AccessKeyId = accessKeyId,
UserName = userName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM policy.
///
/// The Amazon Resource Name (ARN) of the policy to
/// delete.
/// A Boolean value indicating the success of the action.
public async Task DeletePolicyAsync(string policyArn)
{
var response = await _IAMService.DeletePolicyAsync(new DeletePolicyRequest { PolicyArn = policyArn });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM role.
///
/// The name of the IAM role to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRoleAsync(string roleName)
{
var response = await _IAMService.DeleteRoleAsync(new DeleteRoleRequest { RoleName = roleName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM role policy.
///
/// The name of the IAM role.
/// The name of the IAM role policy to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteRolePolicyAsync(string roleName, string policyName)
{
var response = await _IAMService.DeleteRolePolicyAsync(new DeleteRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM user.
///
/// The username of the IAM user to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserAsync(string userName)
{
var response = await _IAMService.DeleteUserAsync(new DeleteUserRequest { UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Delete an IAM user policy.
///
/// The name of the IAM policy to delete.
/// The username of the IAM user.
/// A Boolean value indicating the success of the action.
public async Task DeleteUserPolicyAsync(string policyName, string userName)
{
var response = await _IAMService.DeleteUserPolicyAsync(new DeleteUserPolicyRequest { PolicyName = policyName, UserName = userName });
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Detach an IAM policy from an IAM role.
///
/// The Amazon Resource Name (ARN) of the IAM policy.
/// The name of the IAM role.
/// A Boolean value indicating the success of the action.
public async Task DetachRolePolicyAsync(string policyArn, string roleName)
{
var response = await _IAMService.DetachRolePolicyAsync(new DetachRolePolicyRequest
{
PolicyArn = policyArn,
RoleName = roleName,
});
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Gets the IAM password policy for an AWS account.
///
/// The PasswordPolicy for the AWS account.
public async Task GetAccountPasswordPolicyAsync()
{
var response = await _IAMService.GetAccountPasswordPolicyAsync(new GetAccountPasswordPolicyRequest());
return response.PasswordPolicy;
}
///
/// Get information about an IAM policy.
///
/// The IAM policy to retrieve information for.
/// The IAM policy.
public async Task GetPolicyAsync(string policyArn)
{
var response = await _IAMService.GetPolicyAsync(new GetPolicyRequest { PolicyArn = policyArn });
return response.Policy;
}
///
/// Get information about an IAM role.
///
/// The name of the IAM role to retrieve information
/// for.
/// The IAM role that was retrieved.
public async Task GetRoleAsync(string roleName)
{
var response = await _IAMService.GetRoleAsync(new GetRoleRequest
{
RoleName = roleName,
});
return response.Role;
}
///
/// Get information about an IAM user.
///
/// The username of the user.
/// An IAM user object.
public async Task GetUserAsync(string userName)
{
var response = await _IAMService.GetUserAsync(new GetUserRequest { UserName = userName });
return response.User;
}
///
/// List the IAM role policies that are attached to an IAM role.
///
/// The IAM role to list IAM policies for.
/// A list of the IAM policies attached to the IAM role.
public async Task> ListAttachedRolePoliciesAsync(string roleName)
{
var attachedPolicies = new List();
var attachedRolePoliciesPaginator = _IAMService.Paginators.ListAttachedRolePolicies(new ListAttachedRolePoliciesRequest { RoleName = roleName });
await foreach (var response in attachedRolePoliciesPaginator.Responses)
{
attachedPolicies.AddRange(response.AttachedPolicies);
}
return attachedPolicies;
}
///
/// List IAM groups.
///
/// A list of IAM groups.
public async Task> ListGroupsAsync()
{
var groupsPaginator = _IAMService.Paginators.ListGroups(new ListGroupsRequest());
var groups = new List();
await foreach (var response in groupsPaginator.Responses)
{
groups.AddRange(response.Groups);
}
return groups;
}
///
/// List IAM policies.
///
/// A list of the IAM policies.
public async Task> ListPoliciesAsync()
{
var listPoliciesPaginator = _IAMService.Paginators.ListPolicies(new ListPoliciesRequest());
var policies = new List();
await foreach (var response in listPoliciesPaginator.Responses)
{
policies.AddRange(response.Policies);
}
return policies;
}
///
/// List IAM role policies.
///
/// The IAM role for which to list IAM policies.
/// A list of IAM policy names.
public async Task> ListRolePoliciesAsync(string roleName)
{
var listRolePoliciesPaginator = _IAMService.Paginators.ListRolePolicies(new ListRolePoliciesRequest { RoleName = roleName });
var policyNames = new List();
await foreach (var response in listRolePoliciesPaginator.Responses)
{
policyNames.AddRange(response.PolicyNames);
}
return policyNames;
}
///
/// List IAM roles.
///
/// A list of IAM roles.
public async Task> ListRolesAsync()
{
var listRolesPaginator = _IAMService.Paginators.ListRoles(new ListRolesRequest());
var roles = new List();
await foreach (var response in listRolesPaginator.Responses)
{
roles.AddRange(response.Roles);
}
return roles;
}
///
/// List SAML authentication providers.
///
/// A list of SAML providers.
public async Task> ListSAMLProvidersAsync()
{
var response = await _IAMService.ListSAMLProvidersAsync(new ListSAMLProvidersRequest());
return response.SAMLProviderList;
}
///
/// List IAM users.
///
/// A list of IAM users.
public async Task> ListUsersAsync()
{
var listUsersPaginator = _IAMService.Paginators.ListUsers(new ListUsersRequest());
var users = new List();
await foreach (var response in listUsersPaginator.Responses)
{
users.AddRange(response.Users);
}
return users;
}
///
/// Update the inline policy document embedded in a role.
///
/// The name of the policy to embed.
/// The name of the role to update.
/// The policy document that defines the role.
/// A Boolean value indicating the success of the action.
public async Task PutRolePolicyAsync(string policyName, string roleName, string policyDocument)
{
var request = new PutRolePolicyRequest
{
PolicyName = policyName,
RoleName = roleName,
PolicyDocument = policyDocument
};
var response = await _IAMService.PutRolePolicyAsync(request);
return response.HttpStatusCode == HttpStatusCode.OK;
}
///
/// Add or update an inline policy document that is embedded in an IAM user.
///
/// The name of the IAM user.
/// The name of the IAM policy.
/// The policy document defining the IAM policy.
/// A Boolean value indicating the success of the action.
public async Task PutUserPolicyAsync(string userName, string policyName, string policyDocument)
{
var request = new PutUserPolicyRequest
{
UserName = userName,
PolicyName = policyName,
PolicyDocument = policyDocument
};
var response = await _IAMService.PutUserPolicyAsync(request);
return response.HttpStatusCode == System.Net.HttpStatusCode.OK;
}
///
/// Wait for a new access key to be ready to use.
///
/// The Id of the access key.
/// A boolean value indicating the success of the action.
public async Task WaitUntilAccessKeyIsReady(string accessKeyId)
{
var keyReady = false;
do
{
try
{
var response = await _IAMService.GetAccessKeyLastUsedAsync(
new GetAccessKeyLastUsedRequest { AccessKeyId = accessKeyId });
if (response.UserName is not null)
{
keyReady = true;
}
}
catch (NoSuchEntityException)
{
keyReady = false;
}
} while (!keyReady);
return keyReady;
}
}
using Microsoft.Extensions.Configuration;
namespace IAMBasics;
public class IAMBasics
{
private static ILogger logger = null!;
static async Task Main(string[] args)
{
// Set up dependency injection for the AWS service.
using var host = Host.CreateDefaultBuilder(args)
.ConfigureLogging(logging =>
logging.AddFilter("System", LogLevel.Debug)
.AddFilter("Microsoft", LogLevel.Information)
.AddFilter("Microsoft", LogLevel.Trace))
.ConfigureServices((_, services) =>
services.AddAWSService()
.AddTransient()
.AddTransient()
)
.Build();
logger = LoggerFactory.Create(builder => { builder.AddConsole(); })
.CreateLogger();
IConfiguration configuration = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("settings.json") // Load test settings from .json file.
.AddJsonFile("settings.local.json",
true) // Optionally load local settings.
.Build();
// Values needed for user, role, and policies.
string userName = configuration["UserName"]!;
string s3PolicyName = configuration["S3PolicyName"]!;
string roleName = configuration["RoleName"]!;
var iamWrapper = host.Services.GetRequiredService();
var uiWrapper = host.Services.GetRequiredService();
uiWrapper.DisplayBasicsOverview();
uiWrapper.PressEnter();
// First create a user. By default, the new user has
// no permissions.
uiWrapper.DisplayTitle("Create User");
Console.WriteLine($"Creating a new user with user name: {userName}.");
var user = await iamWrapper.CreateUserAsync(userName);
var userArn = user.Arn;
Console.WriteLine($"Successfully created user: {userName} with ARN: {userArn}.");
uiWrapper.WaitABit(15, "Now let's wait for the user to be ready for use.");
// Define a role policy document that allows the new user
// to assume the role.
string assumeRolePolicyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
$" \"AWS\": \"{userArn}\"" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
// Permissions to list all buckets.
string policyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
" \"Statement\" : [{" +
" \"Action\" : [\"s3:ListAllMyBuckets\"]," +
" \"Effect\" : \"Allow\"," +
" \"Resource\" : \"*\"" +
"}]" +
"}";
// Create an AccessKey for the user.
uiWrapper.DisplayTitle("Create access key");
Console.WriteLine("Now let's create an access key for the new user.");
var accessKey = await iamWrapper.CreateAccessKeyAsync(userName);
var accessKeyId = accessKey.AccessKeyId;
var secretAccessKey = accessKey.SecretAccessKey;
Console.WriteLine($"We have created the access key with Access key id: {accessKeyId}.");
Console.WriteLine("Now let's wait until the IAM access key is ready to use.");
var keyReady = await iamWrapper.WaitUntilAccessKeyIsReady(accessKeyId);
// Now try listing the Amazon Simple Storage Service (Amazon S3)
// buckets. This should fail at this point because the user doesn't
// have permissions to perform this task.
uiWrapper.DisplayTitle("Try to display Amazon S3 buckets");
Console.WriteLine("Now let's try to display a list of the user's Amazon S3 buckets.");
var s3Client1 = new AmazonS3Client(accessKeyId, secretAccessKey);
var stsClient1 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey);
var s3Wrapper = new S3Wrapper(s3Client1, stsClient1);
var buckets = await s3Wrapper.ListMyBucketsAsync();
Console.WriteLine(buckets is null
? "As expected, the call to list the buckets has returned a null list."
: "Something went wrong. This shouldn't have worked.");
uiWrapper.PressEnter();
uiWrapper.DisplayTitle("Create IAM role");
Console.WriteLine($"Creating the role: {roleName}");
// Creating an IAM role to allow listing the S3 buckets. A role name
// is not case sensitive and must be unique to the account for which it
// is created.
var roleArn = await iamWrapper.CreateRoleAsync(roleName, assumeRolePolicyDocument);
uiWrapper.PressEnter();
// Create a policy with permissions to list S3 buckets.
uiWrapper.DisplayTitle("Create IAM policy");
Console.WriteLine($"Creating the policy: {s3PolicyName}");
Console.WriteLine("with permissions to list the Amazon S3 buckets for the account.");
var policy = await iamWrapper.CreatePolicyAsync(s3PolicyName, policyDocument);
// Wait 15 seconds for the IAM policy to be available.
uiWrapper.WaitABit(15, "Waiting for the policy to be available.");
// Attach the policy to the role you created earlier.
uiWrapper.DisplayTitle("Attach new IAM policy");
Console.WriteLine("Now let's attach the policy to the role.");
await iamWrapper.AttachRolePolicyAsync(policy.Arn, roleName);
// Wait 15 seconds for the role to be updated.
Console.WriteLine();
uiWrapper.WaitABit(15, "Waiting for the policy to be attached.");
// Use the AWS Security Token Service (AWS STS) to have the user
// assume the role we created.
var stsClient2 = new AmazonSecurityTokenServiceClient(accessKeyId, secretAccessKey);
// Wait for the new credentials to become valid.
uiWrapper.WaitABit(10, "Waiting for the credentials to be valid.");
var assumedRoleCredentials = await s3Wrapper.AssumeS3RoleAsync("temporary-session", roleArn);
// Try again to list the buckets using the client created with
// the new user's credentials. This time, it should work.
var s3Client2 = new AmazonS3Client(assumedRoleCredentials);
s3Wrapper.UpdateClients(s3Client2, stsClient2);
buckets = await s3Wrapper.ListMyBucketsAsync();
uiWrapper.DisplayTitle("List Amazon S3 buckets");
Console.WriteLine("This time we should have buckets to list.");
if (buckets is not null)
{
buckets.ForEach(bucket =>
{
Console.WriteLine($"{bucket.BucketName} created: {bucket.CreationDate}");
});
}
uiWrapper.PressEnter();
// Now clean up all the resources used in the example.
uiWrapper.DisplayTitle("Clean up resources");
Console.WriteLine("Thank you for watching. The IAM Basics demo is complete.");
Console.WriteLine("Please wait while we clean up the resources we created.");
await iamWrapper.DetachRolePolicyAsync(policy.Arn, roleName);
await iamWrapper.DeletePolicyAsync(policy.Arn);
await iamWrapper.DeleteRoleAsync(roleName);
await iamWrapper.DeleteAccessKeyAsync(accessKeyId, userName);
await iamWrapper.DeleteUserAsync(userName);
uiWrapper.PressEnter();
Console.WriteLine("All done cleaning up our resources. Thank you for your patience.");
}
}
namespace IamScenariosCommon;
using System.Net;
///
/// A class to perform Amazon Simple Storage Service (Amazon S3) actions for
/// the IAM Basics scenario.
///
public class S3Wrapper
{
private IAmazonS3 _s3Service;
private IAmazonSecurityTokenService _stsService;
///
/// Constructor for the S3Wrapper class.
///
/// An Amazon S3 client object.
/// An AWS Security Token Service (AWS STS)
/// client object.
public S3Wrapper(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService)
{
_s3Service = s3Service;
_stsService = stsService;
}
///
/// Assumes an AWS Identity and Access Management (IAM) role that allows
/// Amazon S3 access for the current session.
///
/// A string representing the current session.
/// The name of the IAM role to assume.
/// Credentials for the newly assumed IAM role.
public async Task AssumeS3RoleAsync(string roleSession, string roleToAssume)
{
// Create the request to use with the AssumeRoleAsync call.
var request = new AssumeRoleRequest()
{
RoleSessionName = roleSession,
RoleArn = roleToAssume,
};
var response = await _stsService.AssumeRoleAsync(request);
return response.Credentials;
}
///
/// Delete an S3 bucket.
///
/// Name of the S3 bucket to delete.
/// A Boolean value indicating the success of the action.
public async Task DeleteBucketAsync(string bucketName)
{
var result = await _s3Service.DeleteBucketAsync(new DeleteBucketRequest { BucketName = bucketName });
return result.HttpStatusCode == HttpStatusCode.OK;
}
///
/// List the buckets that are owned by the user's account.
///
/// Async Task.
public async Task?> ListMyBucketsAsync()
{
try
{
// Get the list of buckets accessible by the new user.
var response = await _s3Service.ListBucketsAsync();
return response.Buckets;
}
catch (AmazonS3Exception ex)
{
// Something else went wrong. Display the error message.
Console.WriteLine($"Error: {ex.Message}");
return null;
}
}
///
/// Create a new S3 bucket.
///
/// The name for the new bucket.
/// A Boolean value indicating whether the action completed
/// successfully.
public async Task PutBucketAsync(string bucketName)
{
var response = await _s3Service.PutBucketAsync(new PutBucketRequest { BucketName = bucketName });
return response.HttpStatusCode == HttpStatusCode.OK;
}
///
/// Update the client objects with new client objects. This is available
/// because the scenario uses the methods of this class without and then
/// with the proper permissions to list S3 buckets.
///
/// The Amazon S3 client object.
/// The AWS STS client object.
public void UpdateClients(IAmazonS3 s3Service, IAmazonSecurityTokenService stsService)
{
_s3Service = s3Service;
_stsService = stsService;
}
}
namespace IamScenariosCommon;
public class UIWrapper
{
public readonly string SepBar = new('-', Console.WindowWidth);
///
/// Show information about the IAM Groups scenario.
///
public void DisplayGroupsOverview()
{
Console.Clear();
DisplayTitle("Welcome to the IAM Groups Demo");
Console.WriteLine("This example application does the following:");
Console.WriteLine("\t1. Creates an Amazon Identity and Access Management (IAM) group.");
Console.WriteLine("\t2. Adds an IAM policy to the IAM group giving it full access to Amazon S3.");
Console.WriteLine("\t3. Creates a new IAM user.");
Console.WriteLine("\t4. Creates an IAM access key for the user.");
Console.WriteLine("\t5. Adds the user to the IAM group.");
Console.WriteLine("\t6. Lists the buckets on the account.");
Console.WriteLine("\t7. Proves that the user has full Amazon S3 access by creating a bucket.");
Console.WriteLine("\t8. List the buckets again to show the new bucket.");
Console.WriteLine("\t9. Cleans up all the resources created.");
}
///
/// Show information about the IAM Basics scenario.
///
public void DisplayBasicsOverview()
{
Console.Clear();
DisplayTitle("Welcome to IAM Basics");
Console.WriteLine("This example application does the following:");
Console.WriteLine("\t1. Creates a user with no permissions.");
Console.WriteLine("\t2. Creates a role and policy that grant s3:ListAllMyBuckets permission.");
Console.WriteLine("\t3. Grants the user permission to assume the role.");
Console.WriteLine("\t4. Creates an S3 client object as the user and tries to list buckets (this will fail).");
Console.WriteLine("\t5. Gets temporary credentials by assuming the role.");
Console.WriteLine("\t6. Creates a new S3 client object with the temporary credentials and lists the buckets (this will succeed).");
Console.WriteLine("\t7. Deletes all the resources.");
}
///
/// Display a message and wait until the user presses enter.
///
public void PressEnter()
{
Console.Write("\nPress to continue. ");
_ = Console.ReadLine();
Console.WriteLine();
}
///
/// Pad a string with spaces to center it on the console display.
///
/// The string to be centered.
/// The padded string.
public string CenterString(string strToCenter)
{
var padAmount = (Console.WindowWidth - strToCenter.Length) / 2;
var leftPad = new string(' ', padAmount);
return $"{leftPad}{strToCenter}";
}
///
/// Display a line of hyphens, the centered text of the title, and another
/// line of hyphens.
///
/// The string to be displayed.
public void DisplayTitle(string strTitle)
{
Console.WriteLine(SepBar);
Console.WriteLine(CenterString(strTitle));
Console.WriteLine(SepBar);
}
///
/// Display a countdown and wait for a number of seconds.
///
/// The number of seconds to wait.
public void WaitABit(int numSeconds, string msg)
{
Console.WriteLine(msg);
// Wait for the requested number of seconds.
for (int i = numSeconds; i > 0; i--)
{
System.Threading.Thread.Sleep(1000);
Console.Write($"{i}...");
}
PressEnter();
}
}
```
+ For API details, see the following topics in *AWS SDK for .NET API Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Bash ]
**AWS CLI with Bash script**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples).
```
###############################################################################
# function iam_create_user_assume_role
#
# Scenario to create an IAM user, create an IAM role, and apply the role to the user.
#
# "IAM access" permissions are needed to run this code.
# "STS assume role" permissions are needed to run this code. (Note: It might be necessary to
# create a custom policy).
#
# Returns:
# 0 - If successful.
# 1 - If an error occurred.
###############################################################################
function iam_create_user_assume_role() {
{
if [ "$IAM_OPERATIONS_SOURCED" != "True" ]; then
source ./iam_operations.sh
fi
}
echo_repeat "*" 88
echo "Welcome to the IAM create user and assume role demo."
echo
echo "This demo will create an IAM user, create an IAM role, and apply the role to the user."
echo_repeat "*" 88
echo
echo -n "Enter a name for a new IAM user: "
get_input
user_name=$get_input_result
local user_arn
user_arn=$(iam_create_user -u "$user_name")
# shellcheck disable=SC2181
if [[ ${?} == 0 ]]; then
echo "Created demo IAM user named $user_name"
else
errecho "$user_arn"
errecho "The user failed to create. This demo will exit."
return 1
fi
local access_key_response
access_key_response=$(iam_create_user_access_key -u "$user_name")
# shellcheck disable=SC2181
if [[ ${?} != 0 ]]; then
errecho "The access key failed to create. This demo will exit."
clean_up "$user_name"
return 1
fi
IFS=$'\t ' read -r -a access_key_values <<<"$access_key_response"
local key_name=${access_key_values[0]}
local key_secret=${access_key_values[1]}
echo "Created access key named $key_name"
echo "Wait 10 seconds for the user to be ready."
sleep 10
echo_repeat "*" 88
echo
local iam_role_name
iam_role_name=$(generate_random_name "test-role")
echo "Creating a role named $iam_role_name with user $user_name as the principal."
local assume_role_policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"$user_arn\"},
\"Action\": \"sts:AssumeRole\"
}]
}"
local role_arn
role_arn=$(iam_create_role -n "$iam_role_name" -p "$assume_role_policy_document")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Created IAM role named $iam_role_name"
else
errecho "The role failed to create. This demo will exit."
clean_up "$user_name" "$key_name"
return 1
fi
local policy_name
policy_name=$(generate_random_name "test-policy")
local policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]}"
local policy_arn
policy_arn=$(iam_create_policy -n "$policy_name" -p "$policy_document")
# shellcheck disable=SC2181
if [[ ${?} == 0 ]]; then
echo "Created IAM policy named $policy_name"
else
errecho "The policy failed to create."
clean_up "$user_name" "$key_name" "$iam_role_name"
return 1
fi
if (iam_attach_role_policy -n "$iam_role_name" -p "$policy_arn"); then
echo "Attached policy $policy_arn to role $iam_role_name"
else
errecho "The policy failed to attach."
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn"
return 1
fi
local assume_role_policy_document="{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"$role_arn\"}]}"
local assume_role_policy_name
assume_role_policy_name=$(generate_random_name "test-assume-role-")
# shellcheck disable=SC2181
local assume_role_policy_arn
assume_role_policy_arn=$(iam_create_policy -n "$assume_role_policy_name" -p "$assume_role_policy_document")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Created IAM policy named $assume_role_policy_name for sts assume role"
else
errecho "The policy failed to create."
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn"
return 1
fi
echo "Wait 10 seconds to give AWS time to propagate these new resources and connections."
sleep 10
echo_repeat "*" 88
echo
echo "Try to list buckets without the new user assuming the role."
echo_repeat "*" 88
echo
# Set the environment variables for the created user.
# bashsupport disable=BP2001
export AWS_ACCESS_KEY_ID=$key_name
# bashsupport disable=BP2001
export AWS_SECRET_ACCESS_KEY=$key_secret
local buckets
buckets=$(s3_list_buckets)
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
local bucket_count
bucket_count=$(echo "$buckets" | wc -w | xargs)
echo "There are $bucket_count buckets in the account. This should not have happened."
else
errecho "Because the role with permissions has not been assumed, listing buckets failed."
fi
echo
echo_repeat "*" 88
echo "Now assume the role $iam_role_name and list the buckets."
echo_repeat "*" 88
echo
local credentials
credentials=$(sts_assume_role -r "$role_arn" -n "AssumeRoleDemoSession")
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
echo "Assumed role $iam_role_name"
else
errecho "Failed to assume role."
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
return 1
fi
IFS=$'\t ' read -r -a credentials <<<"$credentials"
export AWS_ACCESS_KEY_ID=${credentials[0]}
export AWS_SECRET_ACCESS_KEY=${credentials[1]}
# bashsupport disable=BP2001
export AWS_SESSION_TOKEN=${credentials[2]}
buckets=$(s3_list_buckets)
# shellcheck disable=SC2181
if [ ${?} == 0 ]; then
local bucket_count
bucket_count=$(echo "$buckets" | wc -w | xargs)
echo "There are $bucket_count buckets in the account. Listing buckets succeeded because of "
echo "the assumed role."
else
errecho "Failed to list buckets. This should not happen."
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_SESSION_TOKEN=""
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
return 1
fi
local result=0
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
echo
echo_repeat "*" 88
echo "The created resources will now be deleted."
echo_repeat "*" 88
echo
clean_up "$user_name" "$key_name" "$iam_role_name" "$policy_arn" "$policy_arn" "$assume_role_policy_arn"
# shellcheck disable=SC2181
if [[ ${?} -ne 0 ]]; then
result=1
fi
return $result
}
```
The IAM functions used in this scenario.
```
###############################################################################
# function iam_user_exists
#
# This function checks to see if the specified AWS Identity and Access Management (IAM) user already exists.
#
# Parameters:
# $1 - The name of the IAM user to check.
#
# Returns:
# 0 - If the user already exists.
# 1 - If the user doesn't exist.
###############################################################################
function iam_user_exists() {
local user_name
user_name=$1
# Check whether the IAM user already exists.
# We suppress all output - we're interested only in the return code.
local errors
errors=$(aws iam get-user \
--user-name "$user_name" 2>&1 >/dev/null)
local error_code=${?}
if [[ $error_code -eq 0 ]]; then
return 0 # 0 in Bash script means true.
else
if [[ $errors != *"error"*"(NoSuchEntity)"* ]]; then
aws_cli_error_log $error_code
errecho "Error calling iam get-user $errors"
fi
return 1 # 1 in Bash script means false.
fi
}
###############################################################################
# function iam_create_user
#
# This function creates the specified IAM user, unless
# it already exists.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# The ARN of the user.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user"
echo "Creates an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user. It must be unique within the account."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user already exists, we don't want to try to create it.
if (iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name already exists in the account."
return 1
fi
response=$(aws iam create-user --user-name "$user_name" \
--output text \
--query 'User.Arn')
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-user operation failed.$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_create_user_access_key
#
# This function creates an IAM access key for the specified user.
#
# Parameters:
# -u user_name -- The name of the IAM user.
# [-f file_name] -- The optional file name for the access key output.
#
# Returns:
# [access_key_id access_key_secret]
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_user_access_key() {
local user_name file_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) key pair."
echo " -u user_name The name of the IAM user."
echo " [-f file_name] Optional file name for the access key output."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:f:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
f) file_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
response=$(aws iam create-access-key \
--user-name "$user_name" \
--output text)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-access-key operation failed.$response"
return 1
fi
if [[ -n "$file_name" ]]; then
echo "$response" >"$file_name"
fi
local key_id key_secret
# shellcheck disable=SC2086
key_id=$(echo $response | cut -f 2 -d ' ')
# shellcheck disable=SC2086
key_secret=$(echo $response | cut -f 4 -d ' ')
echo "$key_id $key_secret"
return 0
}
###############################################################################
# function iam_create_role
#
# This function creates an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_json -- The assume role policy document.
#
# Returns:
# The ARN of the role.
# And:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_role() {
local role_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_user_access_key"
echo "Creates an AWS Identity and Access Management (IAM) role."
echo " -n role_name The name of the IAM role."
echo " -p policy_json -- The assume role policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-role \
--role-name "$role_name" \
--assume-role-policy-document "$policy_document" \
--output text \
--query Role.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-role operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_create_policy
#
# This function creates an IAM policy.
#
# Parameters:
# -n policy_name -- The name of the IAM policy.
# -p policy_json -- The policy document.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_create_policy() {
local policy_name policy_document response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_create_policy"
echo "Creates an AWS Identity and Access Management (IAM) policy."
echo " -n policy_name The name of the IAM policy."
echo " -p policy_json -- The policy document."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) policy_name="${OPTARG}" ;;
p) policy_document="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_name" ]]; then
errecho "ERROR: You must provide a policy name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_document" ]]; then
errecho "ERROR: You must provide a policy document with the -p parameter."
usage
return 1
fi
response=$(aws iam create-policy \
--policy-name "$policy_name" \
--policy-document "$policy_document" \
--output text \
--query Policy.Arn)
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-policy operation failed.\n$response"
return 1
fi
echo "$response"
}
###############################################################################
# function iam_attach_role_policy
#
# This function attaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_attach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_attach_role_policy"
echo "Attaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam attach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports attach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_detach_role_policy
#
# This function detaches an IAM policy to a tole.
#
# Parameters:
# -n role_name -- The name of the IAM role.
# -p policy_ARN -- The IAM policy document ARN..
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_detach_role_policy() {
local role_name policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_detach_role_policy"
echo "Detaches an AWS Identity and Access Management (IAM) policy to an IAM role."
echo " -n role_name The name of the IAM role."
echo " -p policy_ARN -- The IAM policy document ARN."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:p:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
p) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy ARN with the -p parameter."
usage
return 1
fi
response=$(aws iam detach-role-policy \
--role-name "$role_name" \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports detach-role-policy operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
###############################################################################
# function iam_delete_policy
#
# This function deletes an IAM policy.
#
# Parameters:
# -n policy_arn -- The name of the IAM policy arn.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_policy() {
local policy_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_policy"
echo "Deletes an AWS Identity and Access Management (IAM) policy"
echo " -n policy_arn -- The name of the IAM policy arn."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) policy_arn="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$policy_arn" ]]; then
errecho "ERROR: You must provide a policy arn with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Policy arn: $policy_arn"
iecho ""
response=$(aws iam delete-policy \
--policy-arn "$policy_arn")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-policy operation failed.\n$response"
return 1
fi
iecho "delete-policy response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_role
#
# This function deletes an IAM role.
#
# Parameters:
# -n role_name -- The name of the IAM role.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_role() {
local role_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_role"
echo "Deletes an AWS Identity and Access Management (IAM) role"
echo " -n role_name -- The name of the IAM role."
echo ""
}
# Retrieve the calling parameters.
while getopts "n:h" option; do
case "${option}" in
n) role_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
echo "role_name:$role_name"
if [[ -z "$role_name" ]]; then
errecho "ERROR: You must provide a role name with the -n parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Role name: $role_name"
iecho ""
response=$(aws iam delete-role \
--role-name "$role_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-role operation failed.\n$response"
return 1
fi
iecho "delete-role response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_access_key
#
# This function deletes an IAM access key for the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user.
# -k access_key -- The access key to delete.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_access_key() {
local user_name access_key response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_access_key"
echo "Deletes an AWS Identity and Access Management (IAM) access key for the specified IAM user"
echo " -u user_name The name of the user."
echo " -k access_key The access key to delete."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:k:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
k) access_key="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
if [[ -z "$access_key" ]]; then
errecho "ERROR: You must provide an access key with the -k parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " Username: $user_name"
iecho " Access key: $access_key"
iecho ""
response=$(aws iam delete-access-key \
--user-name "$user_name" \
--access-key-id "$access_key")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-access-key operation failed.\n$response"
return 1
fi
iecho "delete-access-key response:$response"
iecho
return 0
}
###############################################################################
# function iam_delete_user
#
# This function deletes the specified IAM user.
#
# Parameters:
# -u user_name -- The name of the user to create.
#
# Returns:
# 0 - If successful.
# 1 - If it fails.
###############################################################################
function iam_delete_user() {
local user_name response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function iam_delete_user"
echo "Deletes an AWS Identity and Access Management (IAM) user. You must supply a username:"
echo " -u user_name The name of the user."
echo ""
}
# Retrieve the calling parameters.
while getopts "u:h" option; do
case "${option}" in
u) user_name="${OPTARG}" ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
export OPTIND=1
if [[ -z "$user_name" ]]; then
errecho "ERROR: You must provide a username with the -u parameter."
usage
return 1
fi
iecho "Parameters:\n"
iecho " User name: $user_name"
iecho ""
# If the user does not exist, we don't want to try to delete it.
if (! iam_user_exists "$user_name"); then
errecho "ERROR: A user with that name does not exist in the account."
return 1
fi
response=$(aws iam delete-user \
--user-name "$user_name")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports delete-user operation failed.$response"
return 1
fi
iecho "delete-user response:$response"
iecho
return 0
}
```
+ For API details, see the following topics in *AWS CLI Command Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/aws-cli/iam-2010-05-08/PutUserPolicy)
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/iam#code-examples).
```
namespace AwsDoc {
namespace IAM {
//! Cleanup by deleting created entities.
/*!
\sa DeleteCreatedEntities
\param client: IAM client.
\param role: IAM role.
\param user: IAM user.
\param policy: IAM policy.
*/
static bool DeleteCreatedEntities(const Aws::IAM::IAMClient &client,
const Aws::IAM::Model::Role &role,
const Aws::IAM::Model::User &user,
const Aws::IAM::Model::Policy &policy);
}
static const int LIST_BUCKETS_WAIT_SEC = 20;
static const char ALLOCATION_TAG[] = "example_code";
}
//! Scenario to create an IAM user, create an IAM role, and apply the role to the user.
// "IAM access" permissions are needed to run this code.
// "STS assume role" permissions are needed to run this code. (Note: It might be necessary to
// create a custom policy).
/*!
\sa iamCreateUserAssumeRoleScenario
\param clientConfig: Aws client configuration.
\return bool: Successful completion.
*/
bool AwsDoc::IAM::iamCreateUserAssumeRoleScenario(
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::IAM::IAMClient client(clientConfig);
Aws::IAM::Model::User user;
Aws::IAM::Model::Role role;
Aws::IAM::Model::Policy policy;
// 1. Create a user.
{
Aws::IAM::Model::CreateUserRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String userName = "iam-demo-user-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetUserName(userName);
Aws::IAM::Model::CreateUserOutcome outcome = client.CreateUser(request);
if (!outcome.IsSuccess()) {
std::cout << "Error creating IAM user " << userName << ":" <<
outcome.GetError().GetMessage() << std::endl;
return false;
}
else {
std::cout << "Successfully created IAM user " << userName << std::endl;
}
user = outcome.GetResult().GetUser();
}
// 2. Create a role.
{
// Get the IAM user for the current client in order to access its ARN.
Aws::String iamUserArn;
{
Aws::IAM::Model::GetUserRequest request;
Aws::IAM::Model::GetUserOutcome outcome = client.GetUser(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error getting Iam user. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully retrieved Iam user "
<< outcome.GetResult().GetUser().GetUserName()
<< std::endl;
}
iamUserArn = outcome.GetResult().GetUser().GetArn();
}
Aws::IAM::Model::CreateRoleRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String roleName = "iam-demo-role-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetRoleName(roleName);
// Build policy document for role.
Aws::Utils::Document jsonStatement;
jsonStatement.WithString("Effect", "Allow");
Aws::Utils::Document jsonPrincipal;
jsonPrincipal.WithString("AWS", iamUserArn);
jsonStatement.WithObject("Principal", jsonPrincipal);
jsonStatement.WithString("Action", "sts:AssumeRole");
jsonStatement.WithObject("Condition", Aws::Utils::Document());
Aws::Utils::Document policyDocument;
policyDocument.WithString("Version", "2012-10-17");
Aws::Utils::Array statements(1);
statements[0] = jsonStatement;
policyDocument.WithArray("Statement", statements);
std::cout << "Setting policy for role\n "
<< policyDocument.View().WriteCompact() << std::endl;
// Set role policy document as JSON string.
request.SetAssumeRolePolicyDocument(policyDocument.View().WriteCompact());
Aws::IAM::Model::CreateRoleOutcome outcome = client.CreateRole(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating role. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully created a role with name " << roleName
<< std::endl;
}
role = outcome.GetResult().GetRole();
}
// 3. Create an IAM policy.
{
Aws::IAM::Model::CreatePolicyRequest request;
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String policyName = "iam-demo-policy-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetPolicyName(policyName);
// Build IAM policy document.
Aws::Utils::Document jsonStatement;
jsonStatement.WithString("Effect", "Allow");
jsonStatement.WithString("Action", "s3:ListAllMyBuckets");
jsonStatement.WithString("Resource", "arn:aws:s3:::*");
Aws::Utils::Document policyDocument;
policyDocument.WithString("Version", "2012-10-17");
Aws::Utils::Array statements(1);
statements[0] = jsonStatement;
policyDocument.WithArray("Statement", statements);
std::cout << "Creating a policy.\n " << policyDocument.View().WriteCompact()
<< std::endl;
// Set IAM policy document as JSON string.
request.SetPolicyDocument(policyDocument.View().WriteCompact());
Aws::IAM::Model::CreatePolicyOutcome outcome = client.CreatePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating policy. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully created a policy with name, " << policyName <<
"." << std::endl;
}
policy = outcome.GetResult().GetPolicy();
}
// 4. Assume the new role using the AWS Security Token Service (STS).
Aws::STS::Model::Credentials credentials;
{
Aws::STS::STSClient stsClient(clientConfig);
Aws::STS::Model::AssumeRoleRequest request;
request.SetRoleArn(role.GetArn());
Aws::String uuid = Aws::Utils::UUID::RandomUUID();
Aws::String roleSessionName = "iam-demo-role-session-" +
Aws::Utils::StringUtils::ToLower(uuid.c_str());
request.SetRoleSessionName(roleSessionName);
Aws::STS::Model::AssumeRoleOutcome assumeRoleOutcome;
// Repeatedly call AssumeRole, because there is often a delay
// before the role is available to be assumed.
// Repeat at most 20 times when access is denied.
int count = 0;
while (true) {
assumeRoleOutcome = stsClient.AssumeRole(request);
if (!assumeRoleOutcome.IsSuccess()) {
if (count > 20 ||
assumeRoleOutcome.GetError().GetErrorType() !=
Aws::STS::STSErrors::ACCESS_DENIED) {
std::cerr << "Error assuming role after 20 tries. " <<
assumeRoleOutcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
std::this_thread::sleep_for(std::chrono::seconds(1));
}
else {
std::cout << "Successfully assumed the role after " << count
<< " seconds." << std::endl;
break;
}
count++;
}
credentials = assumeRoleOutcome.GetResult().GetCredentials();
}
// 5. List objects in the bucket (This should fail).
{
Aws::S3::S3Client s3Client(
Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(),
credentials.GetSecretAccessKey(),
credentials.GetSessionToken()),
Aws::MakeShared(ALLOCATION_TAG),
clientConfig);
Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets();
if (!listBucketsOutcome.IsSuccess()) {
if (listBucketsOutcome.GetError().GetErrorType() !=
Aws::S3::S3Errors::ACCESS_DENIED) {
std::cerr << "Could not lists buckets. " <<
listBucketsOutcome.GetError().GetMessage() << std::endl;
}
else {
std::cout
<< "Access to list buckets denied because privileges have not been applied."
<< std::endl;
}
}
else {
std::cerr
<< "Successfully retrieved bucket lists when this should not happen."
<< std::endl;
}
}
// 6. Attach the policy to the role.
{
Aws::IAM::Model::AttachRolePolicyRequest request;
request.SetRoleName(role.GetRoleName());
request.WithPolicyArn(policy.GetArn());
Aws::IAM::Model::AttachRolePolicyOutcome outcome = client.AttachRolePolicy(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error creating policy. " <<
outcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
else {
std::cout << "Successfully attached the policy with name, "
<< policy.GetPolicyName() <<
", to the role, " << role.GetRoleName() << "." << std::endl;
}
}
int count = 0;
// 7. List objects in the bucket (this should succeed).
// Repeatedly call ListBuckets, because there is often a delay
// before the policy with ListBucket permissions has been applied to the role.
// Repeat at most LIST_BUCKETS_WAIT_SEC times when access is denied.
while (true) {
Aws::S3::S3Client s3Client(
Aws::Auth::AWSCredentials(credentials.GetAccessKeyId(),
credentials.GetSecretAccessKey(),
credentials.GetSessionToken()),
Aws::MakeShared(ALLOCATION_TAG),
clientConfig);
Aws::S3::Model::ListBucketsOutcome listBucketsOutcome = s3Client.ListBuckets();
if (!listBucketsOutcome.IsSuccess()) {
if ((count > LIST_BUCKETS_WAIT_SEC) ||
listBucketsOutcome.GetError().GetErrorType() !=
Aws::S3::S3Errors::ACCESS_DENIED) {
std::cerr << "Could not lists buckets after " << LIST_BUCKETS_WAIT_SEC << " seconds. " <<
listBucketsOutcome.GetError().GetMessage() << std::endl;
DeleteCreatedEntities(client, role, user, policy);
return false;
}
std::this_thread::sleep_for(std::chrono::seconds(1));
}
else {
std::cout << "Successfully retrieved bucket lists after " << count
<< " seconds." << std::endl;
break;
}
count++;
}
// 8. Delete all the created resources.
return DeleteCreatedEntities(client, role, user, policy);
}
bool AwsDoc::IAM::DeleteCreatedEntities(const Aws::IAM::IAMClient &client,
const Aws::IAM::Model::Role &role,
const Aws::IAM::Model::User &user,
const Aws::IAM::Model::Policy &policy) {
bool result = true;
if (policy.ArnHasBeenSet()) {
// Detach the policy from the role.
{
Aws::IAM::Model::DetachRolePolicyRequest request;
request.SetPolicyArn(policy.GetArn());
request.SetRoleName(role.GetRoleName());
Aws::IAM::Model::DetachRolePolicyOutcome outcome = client.DetachRolePolicy(
request);
if (!outcome.IsSuccess()) {
std::cerr << "Error Detaching policy from roles. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully detached the policy with arn "
<< policy.GetArn()
<< " from role " << role.GetRoleName() << "." << std::endl;
}
}
// Delete the policy.
{
Aws::IAM::Model::DeletePolicyRequest request;
request.WithPolicyArn(policy.GetArn());
Aws::IAM::Model::DeletePolicyOutcome outcome = client.DeletePolicy(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting policy. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the policy with arn "
<< policy.GetArn() << std::endl;
}
}
}
if (role.RoleIdHasBeenSet()) {
// Delete the role.
Aws::IAM::Model::DeleteRoleRequest request;
request.SetRoleName(role.GetRoleName());
Aws::IAM::Model::DeleteRoleOutcome outcome = client.DeleteRole(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting role. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the role with name "
<< role.GetRoleName() << std::endl;
}
}
if (user.ArnHasBeenSet()) {
// Delete the user.
Aws::IAM::Model::DeleteUserRequest request;
request.WithUserName(user.GetUserName());
Aws::IAM::Model::DeleteUserOutcome outcome = client.DeleteUser(request);
if (!outcome.IsSuccess()) {
std::cerr << "Error deleting user. " <<
outcome.GetError().GetMessage() << std::endl;
result = false;
}
else {
std::cout << "Successfully deleted the user with name "
<< user.GetUserName() << std::endl;
}
}
return result;
}
```
+ For API details, see the following topics in *AWS SDK for C\$1\$1 API Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForCpp/iam-2010-05-08/PutUserPolicy)
------
#### [ Go ]
**SDK for Go V2**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/iam#code-examples).
Run an interactive scenario at a command prompt.
```
import (
"context"
"errors"
"fmt"
"log"
"math/rand"
"strings"
"time"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/credentials"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/aws-sdk-go-v2/service/s3"
"github.com/aws/aws-sdk-go-v2/service/sts"
"github.com/aws/smithy-go"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/iam/actions"
)
// AssumeRoleScenario shows you how to use the AWS Identity and Access Management (IAM)
// service to perform the following actions:
//
// 1. Create a user who has no permissions.
// 2. Create a role that grants permission to list Amazon Simple Storage Service
// (Amazon S3) buckets for the account.
// 3. Add a policy to let the user assume the role.
// 4. Try and fail to list buckets without permissions.
// 5. Assume the role and list S3 buckets using temporary credentials.
// 6. Delete the policy, role, and user.
type AssumeRoleScenario struct {
sdkConfig aws.Config
accountWrapper actions.AccountWrapper
policyWrapper actions.PolicyWrapper
roleWrapper actions.RoleWrapper
userWrapper actions.UserWrapper
questioner demotools.IQuestioner
helper IScenarioHelper
isTestRun bool
}
// NewAssumeRoleScenario constructs an AssumeRoleScenario instance from a configuration.
// It uses the specified config to get an IAM client and create wrappers for the actions
// used in the scenario.
func NewAssumeRoleScenario(sdkConfig aws.Config, questioner demotools.IQuestioner,
helper IScenarioHelper) AssumeRoleScenario {
iamClient := iam.NewFromConfig(sdkConfig)
return AssumeRoleScenario{
sdkConfig: sdkConfig,
accountWrapper: actions.AccountWrapper{IamClient: iamClient},
policyWrapper: actions.PolicyWrapper{IamClient: iamClient},
roleWrapper: actions.RoleWrapper{IamClient: iamClient},
userWrapper: actions.UserWrapper{IamClient: iamClient},
questioner: questioner,
helper: helper,
}
}
// addTestOptions appends the API options specified in the original configuration to
// another configuration. This is used to attach the middleware stubber to clients
// that are constructed during the scenario, which is needed for unit testing.
func (scenario AssumeRoleScenario) addTestOptions(scenarioConfig *aws.Config) {
if scenario.isTestRun {
scenarioConfig.APIOptions = append(scenarioConfig.APIOptions, scenario.sdkConfig.APIOptions...)
}
}
// Run runs the interactive scenario.
func (scenario AssumeRoleScenario) Run(ctx context.Context) {
defer func() {
if r := recover(); r != nil {
log.Printf("Something went wrong with the demo.\n")
log.Println(r)
}
}()
log.Println(strings.Repeat("-", 88))
log.Println("Welcome to the AWS Identity and Access Management (IAM) assume role demo.")
log.Println(strings.Repeat("-", 88))
user := scenario.CreateUser(ctx)
accessKey := scenario.CreateAccessKey(ctx, user)
role := scenario.CreateRoleAndPolicies(ctx, user)
noPermsConfig := scenario.ListBucketsWithoutPermissions(ctx, accessKey)
scenario.ListBucketsWithAssumedRole(ctx, noPermsConfig, role)
scenario.Cleanup(ctx, user, role)
log.Println(strings.Repeat("-", 88))
log.Println("Thanks for watching!")
log.Println(strings.Repeat("-", 88))
}
// CreateUser creates a new IAM user. This user has no permissions.
func (scenario AssumeRoleScenario) CreateUser(ctx context.Context) *types.User {
log.Println("Let's create an example user with no permissions.")
userName := scenario.questioner.Ask("Enter a name for the example user:", demotools.NotEmpty{})
user, err := scenario.userWrapper.GetUser(ctx, userName)
if err != nil {
panic(err)
}
if user == nil {
user, err = scenario.userWrapper.CreateUser(ctx, userName)
if err != nil {
panic(err)
}
log.Printf("Created user %v.\n", *user.UserName)
} else {
log.Printf("User %v already exists.\n", *user.UserName)
}
log.Println(strings.Repeat("-", 88))
return user
}
// CreateAccessKey creates an access key for the user.
func (scenario AssumeRoleScenario) CreateAccessKey(ctx context.Context, user *types.User) *types.AccessKey {
accessKey, err := scenario.userWrapper.CreateAccessKeyPair(ctx, *user.UserName)
if err != nil {
panic(err)
}
log.Printf("Created access key %v for your user.", *accessKey.AccessKeyId)
log.Println("Waiting a few seconds for your user to be ready...")
scenario.helper.Pause(10)
log.Println(strings.Repeat("-", 88))
return accessKey
}
// CreateRoleAndPolicies creates a policy that grants permission to list S3 buckets for
// the current account and attaches the policy to a newly created role. It also adds an
// inline policy to the specified user that grants the user permission to assume the role.
func (scenario AssumeRoleScenario) CreateRoleAndPolicies(ctx context.Context, user *types.User) *types.Role {
log.Println("Let's create a role and policy that grant permission to list S3 buckets.")
scenario.questioner.Ask("Press Enter when you're ready.")
listBucketsRole, err := scenario.roleWrapper.CreateRole(ctx, scenario.helper.GetName(), *user.Arn)
if err != nil {
panic(err)
}
log.Printf("Created role %v.\n", *listBucketsRole.RoleName)
listBucketsPolicy, err := scenario.policyWrapper.CreatePolicy(
ctx, scenario.helper.GetName(), []string{"s3:ListAllMyBuckets"}, "arn:aws:s3:::*")
if err != nil {
panic(err)
}
log.Printf("Created policy %v.\n", *listBucketsPolicy.PolicyName)
err = scenario.roleWrapper.AttachRolePolicy(ctx, *listBucketsPolicy.Arn, *listBucketsRole.RoleName)
if err != nil {
panic(err)
}
log.Printf("Attached policy %v to role %v.\n", *listBucketsPolicy.PolicyName,
*listBucketsRole.RoleName)
err = scenario.userWrapper.CreateUserPolicy(ctx, *user.UserName, scenario.helper.GetName(),
[]string{"sts:AssumeRole"}, *listBucketsRole.Arn)
if err != nil {
panic(err)
}
log.Printf("Created an inline policy for user %v that lets the user assume the role.\n",
*user.UserName)
log.Println("Let's give AWS a few seconds to propagate these new resources and connections...")
scenario.helper.Pause(10)
log.Println(strings.Repeat("-", 88))
return listBucketsRole
}
// ListBucketsWithoutPermissions creates an Amazon S3 client from the user's access key
// credentials and tries to list buckets for the account. Because the user does not have
// permission to perform this action, the action fails.
func (scenario AssumeRoleScenario) ListBucketsWithoutPermissions(ctx context.Context, accessKey *types.AccessKey) *aws.Config {
log.Println("Let's try to list buckets without permissions. This should return an AccessDenied error.")
scenario.questioner.Ask("Press Enter when you're ready.")
noPermsConfig, err := config.LoadDefaultConfig(ctx,
config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
*accessKey.AccessKeyId, *accessKey.SecretAccessKey, ""),
))
if err != nil {
panic(err)
}
// Add test options if this is a test run. This is needed only for testing purposes.
scenario.addTestOptions(&noPermsConfig)
s3Client := s3.NewFromConfig(noPermsConfig)
_, err = s3Client.ListBuckets(ctx, &s3.ListBucketsInput{})
if err != nil {
// The SDK for Go does not model the AccessDenied error, so check ErrorCode directly.
var ae smithy.APIError
if errors.As(err, &ae) {
switch ae.ErrorCode() {
case "AccessDenied":
log.Println("Got AccessDenied error, which is the expected result because\n" +
"the ListBuckets call was made without permissions.")
default:
log.Println("Expected AccessDenied, got something else.")
panic(err)
}
}
} else {
log.Println("Expected AccessDenied error when calling ListBuckets without permissions,\n" +
"but the call succeeded. Continuing the example anyway...")
}
log.Println(strings.Repeat("-", 88))
return &noPermsConfig
}
// ListBucketsWithAssumedRole performs the following actions:
//
// 1. Creates an AWS Security Token Service (AWS STS) client from the config created from
// the user's access key credentials.
// 2. Gets temporary credentials by assuming the role that grants permission to list the
// buckets.
// 3. Creates an Amazon S3 client from the temporary credentials.
// 4. Lists buckets for the account. Because the temporary credentials are generated by
// assuming the role that grants permission, the action succeeds.
func (scenario AssumeRoleScenario) ListBucketsWithAssumedRole(ctx context.Context, noPermsConfig *aws.Config, role *types.Role) {
log.Println("Let's assume the role that grants permission to list buckets and try again.")
scenario.questioner.Ask("Press Enter when you're ready.")
stsClient := sts.NewFromConfig(*noPermsConfig)
tempCredentials, err := stsClient.AssumeRole(ctx, &sts.AssumeRoleInput{
RoleArn: role.Arn,
RoleSessionName: aws.String("AssumeRoleExampleSession"),
DurationSeconds: aws.Int32(900),
})
if err != nil {
log.Printf("Couldn't assume role %v.\n", *role.RoleName)
panic(err)
}
log.Printf("Assumed role %v, got temporary credentials.\n", *role.RoleName)
assumeRoleConfig, err := config.LoadDefaultConfig(ctx,
config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(
*tempCredentials.Credentials.AccessKeyId,
*tempCredentials.Credentials.SecretAccessKey,
*tempCredentials.Credentials.SessionToken),
),
)
if err != nil {
panic(err)
}
// Add test options if this is a test run. This is needed only for testing purposes.
scenario.addTestOptions(&assumeRoleConfig)
s3Client := s3.NewFromConfig(assumeRoleConfig)
result, err := s3Client.ListBuckets(ctx, &s3.ListBucketsInput{})
if err != nil {
log.Println("Couldn't list buckets with assumed role credentials.")
panic(err)
}
log.Println("Successfully called ListBuckets with assumed role credentials, \n" +
"here are some of them:")
for i := 0; i < len(result.Buckets) && i < 5; i++ {
log.Printf("\t%v\n", *result.Buckets[i].Name)
}
log.Println(strings.Repeat("-", 88))
}
// Cleanup deletes all resources created for the scenario.
func (scenario AssumeRoleScenario) Cleanup(ctx context.Context, user *types.User, role *types.Role) {
if scenario.questioner.AskBool(
"Do you want to delete the resources created for this example? (y/n)", "y",
) {
policies, err := scenario.roleWrapper.ListAttachedRolePolicies(ctx, *role.RoleName)
if err != nil {
panic(err)
}
for _, policy := range policies {
err = scenario.roleWrapper.DetachRolePolicy(ctx, *role.RoleName, *policy.PolicyArn)
if err != nil {
panic(err)
}
err = scenario.policyWrapper.DeletePolicy(ctx, *policy.PolicyArn)
if err != nil {
panic(err)
}
log.Printf("Detached policy %v from role %v and deleted the policy.\n",
*policy.PolicyName, *role.RoleName)
}
err = scenario.roleWrapper.DeleteRole(ctx, *role.RoleName)
if err != nil {
panic(err)
}
log.Printf("Deleted role %v.\n", *role.RoleName)
userPols, err := scenario.userWrapper.ListUserPolicies(ctx, *user.UserName)
if err != nil {
panic(err)
}
for _, userPol := range userPols {
err = scenario.userWrapper.DeleteUserPolicy(ctx, *user.UserName, userPol)
if err != nil {
panic(err)
}
log.Printf("Deleted policy %v from user %v.\n", userPol, *user.UserName)
}
keys, err := scenario.userWrapper.ListAccessKeys(ctx, *user.UserName)
if err != nil {
panic(err)
}
for _, key := range keys {
err = scenario.userWrapper.DeleteAccessKey(ctx, *user.UserName, *key.AccessKeyId)
if err != nil {
panic(err)
}
log.Printf("Deleted access key %v from user %v.\n", *key.AccessKeyId, *user.UserName)
}
err = scenario.userWrapper.DeleteUser(ctx, *user.UserName)
if err != nil {
panic(err)
}
log.Printf("Deleted user %v.\n", *user.UserName)
log.Println(strings.Repeat("-", 88))
}
}
// IScenarioHelper abstracts input and wait functions from a scenario so that they
// can be mocked for unit testing.
type IScenarioHelper interface {
GetName() string
Pause(secs int)
}
const rMax = 100000
type ScenarioHelper struct {
Prefix string
Random *rand.Rand
}
// GetName returns a unique name formed of a prefix and a random number.
func (helper *ScenarioHelper) GetName() string {
return fmt.Sprintf("%v%v", helper.Prefix, helper.Random.Intn(rMax))
}
// Pause waits for the specified number of seconds.
func (helper ScenarioHelper) Pause(secs int) {
time.Sleep(time.Duration(secs) * time.Second)
}
```
Define a struct that wraps account actions.
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// AccountWrapper encapsulates AWS Identity and Access Management (IAM) account actions
// used in the examples.
// It contains an IAM service client that is used to perform account actions.
type AccountWrapper struct {
IamClient *iam.Client
}
// GetAccountPasswordPolicy gets the account password policy for the current account.
// If no policy has been set, a NoSuchEntityException is error is returned.
func (wrapper AccountWrapper) GetAccountPasswordPolicy(ctx context.Context) (*types.PasswordPolicy, error) {
var pwPolicy *types.PasswordPolicy
result, err := wrapper.IamClient.GetAccountPasswordPolicy(ctx,
&iam.GetAccountPasswordPolicyInput{})
if err != nil {
log.Printf("Couldn't get account password policy. Here's why: %v\n", err)
} else {
pwPolicy = result.PasswordPolicy
}
return pwPolicy, err
}
// ListSAMLProviders gets the SAML providers for the account.
func (wrapper AccountWrapper) ListSAMLProviders(ctx context.Context) ([]types.SAMLProviderListEntry, error) {
var providers []types.SAMLProviderListEntry
result, err := wrapper.IamClient.ListSAMLProviders(ctx, &iam.ListSAMLProvidersInput{})
if err != nil {
log.Printf("Couldn't list SAML providers. Here's why: %v\n", err)
} else {
providers = result.SAMLProviderList
}
return providers, err
}
```
Define a struct that wraps policy actions.
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// PolicyWrapper encapsulates AWS Identity and Access Management (IAM) policy actions
// used in the examples.
// It contains an IAM service client that is used to perform policy actions.
type PolicyWrapper struct {
IamClient *iam.Client
}
// ListPolicies gets up to maxPolicies policies.
func (wrapper PolicyWrapper) ListPolicies(ctx context.Context, maxPolicies int32) ([]types.Policy, error) {
var policies []types.Policy
result, err := wrapper.IamClient.ListPolicies(ctx, &iam.ListPoliciesInput{
MaxItems: aws.Int32(maxPolicies),
})
if err != nil {
log.Printf("Couldn't list policies. Here's why: %v\n", err)
} else {
policies = result.Policies
}
return policies, err
}
// PolicyDocument defines a policy document as a Go struct that can be serialized
// to JSON.
type PolicyDocument struct {
Version string
Statement []PolicyStatement
}
// PolicyStatement defines a statement in a policy document.
type PolicyStatement struct {
Effect string
Action []string
Principal map[string]string `json:",omitempty"`
Resource *string `json:",omitempty"`
}
// CreatePolicy creates a policy that grants a list of actions to the specified resource.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper PolicyWrapper) CreatePolicy(ctx context.Context, policyName string, actions []string,
resourceArn string) (*types.Policy, error) {
var policy *types.Policy
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(resourceArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", resourceArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreatePolicy(ctx, &iam.CreatePolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
})
if err != nil {
log.Printf("Couldn't create policy %v. Here's why: %v\n", policyName, err)
} else {
policy = result.Policy
}
return policy, err
}
// GetPolicy gets data about a policy.
func (wrapper PolicyWrapper) GetPolicy(ctx context.Context, policyArn string) (*types.Policy, error) {
var policy *types.Policy
result, err := wrapper.IamClient.GetPolicy(ctx, &iam.GetPolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't get policy %v. Here's why: %v\n", policyArn, err)
} else {
policy = result.Policy
}
return policy, err
}
// DeletePolicy deletes a policy.
func (wrapper PolicyWrapper) DeletePolicy(ctx context.Context, policyArn string) error {
_, err := wrapper.IamClient.DeletePolicy(ctx, &iam.DeletePolicyInput{
PolicyArn: aws.String(policyArn),
})
if err != nil {
log.Printf("Couldn't delete policy %v. Here's why: %v\n", policyArn, err)
}
return err
}
```
Define a struct that wraps role actions.
```
import (
"context"
"encoding/json"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
)
// RoleWrapper encapsulates AWS Identity and Access Management (IAM) role actions
// used in the examples.
// It contains an IAM service client that is used to perform role actions.
type RoleWrapper struct {
IamClient *iam.Client
}
// ListRoles gets up to maxRoles roles.
func (wrapper RoleWrapper) ListRoles(ctx context.Context, maxRoles int32) ([]types.Role, error) {
var roles []types.Role
result, err := wrapper.IamClient.ListRoles(ctx,
&iam.ListRolesInput{MaxItems: aws.Int32(maxRoles)},
)
if err != nil {
log.Printf("Couldn't list roles. Here's why: %v\n", err)
} else {
roles = result.Roles
}
return roles, err
}
// CreateRole creates a role that trusts a specified user. The trusted user can assume
// the role to acquire its permissions.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper RoleWrapper) CreateRole(ctx context.Context, roleName string, trustedUserArn string) (*types.Role, error) {
var role *types.Role
trustPolicy := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Principal: map[string]string{"AWS": trustedUserArn},
Action: []string{"sts:AssumeRole"},
}},
}
policyBytes, err := json.Marshal(trustPolicy)
if err != nil {
log.Printf("Couldn't create trust policy for %v. Here's why: %v\n", trustedUserArn, err)
return nil, err
}
result, err := wrapper.IamClient.CreateRole(ctx, &iam.CreateRoleInput{
AssumeRolePolicyDocument: aws.String(string(policyBytes)),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't create role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
// GetRole gets data about a role.
func (wrapper RoleWrapper) GetRole(ctx context.Context, roleName string) (*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.GetRole(ctx,
&iam.GetRoleInput{RoleName: aws.String(roleName)})
if err != nil {
log.Printf("Couldn't get role %v. Here's why: %v\n", roleName, err)
} else {
role = result.Role
}
return role, err
}
// CreateServiceLinkedRole creates a service-linked role that is owned by the specified service.
func (wrapper RoleWrapper) CreateServiceLinkedRole(ctx context.Context, serviceName string, description string) (
*types.Role, error) {
var role *types.Role
result, err := wrapper.IamClient.CreateServiceLinkedRole(ctx, &iam.CreateServiceLinkedRoleInput{
AWSServiceName: aws.String(serviceName),
Description: aws.String(description),
})
if err != nil {
log.Printf("Couldn't create service-linked role %v. Here's why: %v\n", serviceName, err)
} else {
role = result.Role
}
return role, err
}
// DeleteServiceLinkedRole deletes a service-linked role.
func (wrapper RoleWrapper) DeleteServiceLinkedRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteServiceLinkedRole(ctx, &iam.DeleteServiceLinkedRoleInput{
RoleName: aws.String(roleName)},
)
if err != nil {
log.Printf("Couldn't delete service-linked role %v. Here's why: %v\n", roleName, err)
}
return err
}
// AttachRolePolicy attaches a policy to a role.
func (wrapper RoleWrapper) AttachRolePolicy(ctx context.Context, policyArn string, roleName string) error {
_, err := wrapper.IamClient.AttachRolePolicy(ctx, &iam.AttachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't attach policy %v to role %v. Here's why: %v\n", policyArn, roleName, err)
}
return err
}
// ListAttachedRolePolicies lists the policies that are attached to the specified role.
func (wrapper RoleWrapper) ListAttachedRolePolicies(ctx context.Context, roleName string) ([]types.AttachedPolicy, error) {
var policies []types.AttachedPolicy
result, err := wrapper.IamClient.ListAttachedRolePolicies(ctx, &iam.ListAttachedRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list attached policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.AttachedPolicies
}
return policies, err
}
// DetachRolePolicy detaches a policy from a role.
func (wrapper RoleWrapper) DetachRolePolicy(ctx context.Context, roleName string, policyArn string) error {
_, err := wrapper.IamClient.DetachRolePolicy(ctx, &iam.DetachRolePolicyInput{
PolicyArn: aws.String(policyArn),
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't detach policy from role %v. Here's why: %v\n", roleName, err)
}
return err
}
// ListRolePolicies lists the inline policies for a role.
func (wrapper RoleWrapper) ListRolePolicies(ctx context.Context, roleName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListRolePolicies(ctx, &iam.ListRolePoliciesInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't list policies for role %v. Here's why: %v\n", roleName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
// DeleteRole deletes a role. All attached policies must be detached before a
// role can be deleted.
func (wrapper RoleWrapper) DeleteRole(ctx context.Context, roleName string) error {
_, err := wrapper.IamClient.DeleteRole(ctx, &iam.DeleteRoleInput{
RoleName: aws.String(roleName),
})
if err != nil {
log.Printf("Couldn't delete role %v. Here's why: %v\n", roleName, err)
}
return err
}
```
Define a struct that wraps user actions.
```
import (
"context"
"encoding/json"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/types"
"github.com/aws/smithy-go"
)
// UserWrapper encapsulates user actions used in the examples.
// It contains an IAM service client that is used to perform user actions.
type UserWrapper struct {
IamClient *iam.Client
}
// ListUsers gets up to maxUsers number of users.
func (wrapper UserWrapper) ListUsers(ctx context.Context, maxUsers int32) ([]types.User, error) {
var users []types.User
result, err := wrapper.IamClient.ListUsers(ctx, &iam.ListUsersInput{
MaxItems: aws.Int32(maxUsers),
})
if err != nil {
log.Printf("Couldn't list users. Here's why: %v\n", err)
} else {
users = result.Users
}
return users, err
}
// GetUser gets data about a user.
func (wrapper UserWrapper) GetUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.GetUser(ctx, &iam.GetUserInput{
UserName: aws.String(userName),
})
if err != nil {
var apiError smithy.APIError
if errors.As(err, &apiError) {
switch apiError.(type) {
case *types.NoSuchEntityException:
log.Printf("User %v does not exist.\n", userName)
err = nil
default:
log.Printf("Couldn't get user %v. Here's why: %v\n", userName, err)
}
}
} else {
user = result.User
}
return user, err
}
// CreateUser creates a new user with the specified name.
func (wrapper UserWrapper) CreateUser(ctx context.Context, userName string) (*types.User, error) {
var user *types.User
result, err := wrapper.IamClient.CreateUser(ctx, &iam.CreateUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
} else {
user = result.User
}
return user, err
}
// CreateUserPolicy adds an inline policy to a user. This example creates a policy that
// grants a list of actions on a specified role.
// PolicyDocument shows how to work with a policy document as a data structure and
// serialize it to JSON by using Go's JSON marshaler.
func (wrapper UserWrapper) CreateUserPolicy(ctx context.Context, userName string, policyName string, actions []string,
roleArn string) error {
policyDoc := PolicyDocument{
Version: "2012-10-17",
Statement: []PolicyStatement{{
Effect: "Allow",
Action: actions,
Resource: aws.String(roleArn),
}},
}
policyBytes, err := json.Marshal(policyDoc)
if err != nil {
log.Printf("Couldn't create policy document for %v. Here's why: %v\n", roleArn, err)
return err
}
_, err = wrapper.IamClient.PutUserPolicy(ctx, &iam.PutUserPolicyInput{
PolicyDocument: aws.String(string(policyBytes)),
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't create policy for user %v. Here's why: %v\n", userName, err)
}
return err
}
// ListUserPolicies lists the inline policies for the specified user.
func (wrapper UserWrapper) ListUserPolicies(ctx context.Context, userName string) ([]string, error) {
var policies []string
result, err := wrapper.IamClient.ListUserPolicies(ctx, &iam.ListUserPoliciesInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list policies for user %v. Here's why: %v\n", userName, err)
} else {
policies = result.PolicyNames
}
return policies, err
}
// DeleteUserPolicy deletes an inline policy from a user.
func (wrapper UserWrapper) DeleteUserPolicy(ctx context.Context, userName string, policyName string) error {
_, err := wrapper.IamClient.DeleteUserPolicy(ctx, &iam.DeleteUserPolicyInput{
PolicyName: aws.String(policyName),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete policy from user %v. Here's why: %v\n", userName, err)
}
return err
}
// DeleteUser deletes a user.
func (wrapper UserWrapper) DeleteUser(ctx context.Context, userName string) error {
_, err := wrapper.IamClient.DeleteUser(ctx, &iam.DeleteUserInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete user %v. Here's why: %v\n", userName, err)
}
return err
}
// CreateAccessKeyPair creates an access key for a user. The returned access key contains
// the ID and secret credentials needed to use the key.
func (wrapper UserWrapper) CreateAccessKeyPair(ctx context.Context, userName string) (*types.AccessKey, error) {
var key *types.AccessKey
result, err := wrapper.IamClient.CreateAccessKey(ctx, &iam.CreateAccessKeyInput{
UserName: aws.String(userName)})
if err != nil {
log.Printf("Couldn't create access key pair for user %v. Here's why: %v\n", userName, err)
} else {
key = result.AccessKey
}
return key, err
}
// DeleteAccessKey deletes an access key from a user.
func (wrapper UserWrapper) DeleteAccessKey(ctx context.Context, userName string, keyId string) error {
_, err := wrapper.IamClient.DeleteAccessKey(ctx, &iam.DeleteAccessKeyInput{
AccessKeyId: aws.String(keyId),
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't delete access key %v. Here's why: %v\n", keyId, err)
}
return err
}
// ListAccessKeys lists the access keys for the specified user.
func (wrapper UserWrapper) ListAccessKeys(ctx context.Context, userName string) ([]types.AccessKeyMetadata, error) {
var keys []types.AccessKeyMetadata
result, err := wrapper.IamClient.ListAccessKeys(ctx, &iam.ListAccessKeysInput{
UserName: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't list access keys for user %v. Here's why: %v\n", userName, err)
} else {
keys = result.AccessKeyMetadata
}
return keys, err
}
```
+ For API details, see the following topics in *AWS SDK for Go API Reference*.
+ [AttachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.AttachRolePolicy)
+ [CreateAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateAccessKey)
+ [CreatePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreatePolicy)
+ [CreateRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateRole)
+ [CreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.CreateUser)
+ [DeleteAccessKey](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteAccessKey)
+ [DeletePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeletePolicy)
+ [DeleteRole](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteRole)
+ [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUser)
+ [DeleteUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DeleteUserPolicy)
+ [DetachRolePolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.DetachRolePolicy)
+ [PutUserPolicy](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/iam#Client.PutUserPolicy)
------
#### [ Java ]
**SDK for Java 2.x**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/iam#code-examples).
Create functions that wrap IAM user actions.
```
/*
To run this Java V2 code example, set up your development environment, including your credentials.
For information, see this documentation topic:
https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
This example performs these operations:
1. Creates a user that has no permissions.
2. Creates a role and policy that grants Amazon S3 permissions.
3. Creates a role.
4. Grants the user permissions.
5. Gets temporary credentials by assuming the role. Creates an Amazon S3 Service client object with the temporary credentials.
6. Deletes the resources.
*/
public class IAMScenario {
public static final String DASHES = new String(new char[80]).replace("\0", "-");
public static final String PolicyDocument = "{" +
" \"Version\": \"2012-10-17\"," +
" \"Statement\": [" +
" {" +
" \"Effect\": \"Allow\"," +
" \"Action\": [" +
" \"s3:*\"" +
" ]," +
" \"Resource\": \"*\"" +
" }" +
" ]" +
"}";
public static String userArn;
public static void main(String[] args) throws Exception {
final String usage = """
Usage:
\s
Where:
username - The name of the IAM user to create.\s
policyName - The name of the policy to create.\s
roleName - The name of the role to create.\s
roleSessionName - The name of the session required for the assumeRole operation.\s
bucketName - The name of the Amazon S3 bucket from which objects are read.\s
""";
if (args.length != 5) {
System.out.println(usage);
System.exit(1);
}
String userName = args[0];
String policyName = args[1];
String roleName = args[2];
String roleSessionName = args[3];
String bucketName = args[4];
Region region = Region.AWS_GLOBAL;
IamClient iam = IamClient.builder()
.region(region)
.build();
System.out.println(DASHES);
System.out.println("Welcome to the AWS IAM example scenario.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println(" 1. Create the IAM user.");
User createUser = createIAMUser(iam, userName);
System.out.println(DASHES);
userArn = createUser.arn();
AccessKey myKey = createIAMAccessKey(iam, userName);
String accessKey = myKey.accessKeyId();
String secretKey = myKey.secretAccessKey();
String assumeRolePolicyDocument = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
" \"AWS\": \"" + userArn + "\"" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
System.out.println(assumeRolePolicyDocument);
System.out.println(userName + " was successfully created.");
System.out.println(DASHES);
System.out.println("2. Creates a policy.");
String polArn = createIAMPolicy(iam, policyName);
System.out.println("The policy " + polArn + " was successfully created.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("3. Creates a role.");
TimeUnit.SECONDS.sleep(30);
String roleArn = createIAMRole(iam, roleName, assumeRolePolicyDocument);
System.out.println(roleArn + " was successfully created.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("4. Grants the user permissions.");
attachIAMRolePolicy(iam, roleName, polArn);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("*** Wait for 30 secs so the resource is available");
TimeUnit.SECONDS.sleep(30);
System.out.println("5. Gets temporary credentials by assuming the role.");
System.out.println("Perform an Amazon S3 Service operation using the temporary credentials.");
assumeRole(roleArn, roleSessionName, bucketName, accessKey, secretKey);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("6 Getting ready to delete the AWS resources");
deleteKey(iam, userName, accessKey);
deleteRole(iam, roleName, polArn);
deleteIAMUser(iam, userName);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("This IAM Scenario has successfully completed");
System.out.println(DASHES);
}
public static AccessKey createIAMAccessKey(IamClient iam, String user) {
try {
CreateAccessKeyRequest request = CreateAccessKeyRequest.builder()
.userName(user)
.build();
CreateAccessKeyResponse response = iam.createAccessKey(request);
return response.accessKey();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
public static User createIAMUser(IamClient iam, String username) {
try {
// Create an IamWaiter object
IamWaiter iamWaiter = iam.waiter();
CreateUserRequest request = CreateUserRequest.builder()
.userName(username)
.build();
// Wait until the user is created.
CreateUserResponse response = iam.createUser(request);
GetUserRequest userRequest = GetUserRequest.builder()
.userName(response.user().userName())
.build();
WaiterResponse waitUntilUserExists = iamWaiter.waitUntilUserExists(userRequest);
waitUntilUserExists.matched().response().ifPresent(System.out::println);
return response.user();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
public static String createIAMRole(IamClient iam, String rolename, String json) {
try {
CreateRoleRequest request = CreateRoleRequest.builder()
.roleName(rolename)
.assumeRolePolicyDocument(json)
.description("Created using the AWS SDK for Java")
.build();
CreateRoleResponse response = iam.createRole(request);
System.out.println("The ARN of the role is " + response.role().arn());
return response.role().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
public static String createIAMPolicy(IamClient iam, String policyName) {
try {
// Create an IamWaiter object.
IamWaiter iamWaiter = iam.waiter();
CreatePolicyRequest request = CreatePolicyRequest.builder()
.policyName(policyName)
.policyDocument(PolicyDocument).build();
CreatePolicyResponse response = iam.createPolicy(request);
GetPolicyRequest polRequest = GetPolicyRequest.builder()
.policyArn(response.policy().arn())
.build();
WaiterResponse waitUntilPolicyExists = iamWaiter.waitUntilPolicyExists(polRequest);
waitUntilPolicyExists.matched().response().ifPresent(System.out::println);
return response.policy().arn();
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
public static void attachIAMRolePolicy(IamClient iam, String roleName, String policyArn) {
try {
ListAttachedRolePoliciesRequest request = ListAttachedRolePoliciesRequest.builder()
.roleName(roleName)
.build();
ListAttachedRolePoliciesResponse response = iam.listAttachedRolePolicies(request);
List attachedPolicies = response.attachedPolicies();
String polArn;
for (AttachedPolicy policy : attachedPolicies) {
polArn = policy.policyArn();
if (polArn.compareTo(policyArn) == 0) {
System.out.println(roleName + " policy is already attached to this role.");
return;
}
}
AttachRolePolicyRequest attachRequest = AttachRolePolicyRequest.builder()
.roleName(roleName)
.policyArn(policyArn)
.build();
iam.attachRolePolicy(attachRequest);
System.out.println("Successfully attached policy " + policyArn + " to role " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
// Invoke an Amazon S3 operation using the Assumed Role.
public static void assumeRole(String roleArn, String roleSessionName, String bucketName, String keyVal,
String keySecret) {
// Use the creds of the new IAM user that was created in this code example.
AwsBasicCredentials credentials = AwsBasicCredentials.create(keyVal, keySecret);
StsClient stsClient = StsClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(StaticCredentialsProvider.create(credentials))
.build();
try {
AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
Credentials myCreds = roleResponse.credentials();
String key = myCreds.accessKeyId();
String secKey = myCreds.secretAccessKey();
String secToken = myCreds.sessionToken();
// List all objects in an Amazon S3 bucket using the temp creds retrieved by
// invoking assumeRole.
Region region = Region.US_EAST_1;
S3Client s3 = S3Client.builder()
.credentialsProvider(
StaticCredentialsProvider.create(AwsSessionCredentials.create(key, secKey, secToken)))
.region(region)
.build();
System.out.println("Created a S3Client using temp credentials.");
System.out.println("Listing objects in " + bucketName);
ListObjectsRequest listObjects = ListObjectsRequest.builder()
.bucket(bucketName)
.build();
ListObjectsResponse res = s3.listObjects(listObjects);
List objects = res.contents();
for (S3Object myValue : objects) {
System.out.println("The name of the key is " + myValue.key());
System.out.println("The owner is " + myValue.owner());
}
} catch (StsException e) {
System.err.println(e.getMessage());
System.exit(1);
}
}
public static void deleteRole(IamClient iam, String roleName, String polArn) {
try {
// First the policy needs to be detached.
DetachRolePolicyRequest rolePolicyRequest = DetachRolePolicyRequest.builder()
.policyArn(polArn)
.roleName(roleName)
.build();
iam.detachRolePolicy(rolePolicyRequest);
// Delete the policy.
DeletePolicyRequest request = DeletePolicyRequest.builder()
.policyArn(polArn)
.build();
iam.deletePolicy(request);
System.out.println("*** Successfully deleted " + polArn);
// Delete the role.
DeleteRoleRequest roleRequest = DeleteRoleRequest.builder()
.roleName(roleName)
.build();
iam.deleteRole(roleRequest);
System.out.println("*** Successfully deleted " + roleName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void deleteKey(IamClient iam, String username, String accessKey) {
try {
DeleteAccessKeyRequest request = DeleteAccessKeyRequest.builder()
.accessKeyId(accessKey)
.userName(username)
.build();
iam.deleteAccessKey(request);
System.out.println("Successfully deleted access key " + accessKey +
" from user " + username);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void deleteIAMUser(IamClient iam, String userName) {
try {
DeleteUserRequest request = DeleteUserRequest.builder()
.userName(userName)
.build();
iam.deleteUser(request);
System.out.println("*** Successfully deleted " + userName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ For API details, see the following topics in *AWS SDK for Java 2.x API Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForJavaV2/iam-2010-05-08/PutUserPolicy)
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/iam#code-examples).
Create an IAM user and a role that grants permission to list Amazon S3 buckets. The user has rights only to assume the role. After assuming the role, use temporary credentials to list buckets for the account.
```
import {
CreateUserCommand,
GetUserCommand,
CreateAccessKeyCommand,
CreatePolicyCommand,
CreateRoleCommand,
AttachRolePolicyCommand,
DeleteAccessKeyCommand,
DeleteUserCommand,
DeleteRoleCommand,
DeletePolicyCommand,
DetachRolePolicyCommand,
IAMClient,
} from "@aws-sdk/client-iam";
import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3";
import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
import { retry } from "@aws-doc-sdk-examples/lib/utils/util-timers.js";
import { ScenarioInput } from "@aws-doc-sdk-examples/lib/scenario/index.js";
// Set the parameters.
const iamClient = new IAMClient({});
const userName = "iam_basic_test_username";
const policyName = "iam_basic_test_policy";
const roleName = "iam_basic_test_role";
/**
* Create a new IAM user. If the user already exists, give
* the option to delete and re-create it.
* @param {string} name
*/
export const createUser = async (name, confirmAll = false) => {
try {
const { User } = await iamClient.send(
new GetUserCommand({ UserName: name }),
);
const input = new ScenarioInput(
"deleteUser",
"Do you want to delete and remake this user?",
{ type: "confirm" },
);
const deleteUser = await input.handle({}, { confirmAll });
// If the user exists, and you want to delete it, delete the user
// and then create it again.
if (deleteUser) {
await iamClient.send(new DeleteUserCommand({ UserName: User.UserName }));
await iamClient.send(new CreateUserCommand({ UserName: name }));
} else {
console.warn(
`${name} already exists. The scenario may not work as expected.`,
);
return User;
}
} catch (caught) {
// If there is no user by that name, create one.
if (caught instanceof Error && caught.name === "NoSuchEntityException") {
const { User } = await iamClient.send(
new CreateUserCommand({ UserName: name }),
);
return User;
}
throw caught;
}
};
export const main = async (confirmAll = false) => {
// Create a user. The user has no permissions by default.
const User = await createUser(userName, confirmAll);
if (!User) {
throw new Error("User not created");
}
// Create an access key. This key is used to authenticate the new user to
// Amazon Simple Storage Service (Amazon S3) and AWS Security Token Service (AWS STS).
// It's not best practice to use access keys. For more information, see https://aws.amazon.com/iam/resources/best-practices/.
const createAccessKeyResponse = await iamClient.send(
new CreateAccessKeyCommand({ UserName: userName }),
);
if (
!createAccessKeyResponse.AccessKey?.AccessKeyId ||
!createAccessKeyResponse.AccessKey?.SecretAccessKey
) {
throw new Error("Access key not created");
}
const {
AccessKey: { AccessKeyId, SecretAccessKey },
} = createAccessKeyResponse;
let s3Client = new S3Client({
credentials: {
accessKeyId: AccessKeyId,
secretAccessKey: SecretAccessKey,
},
});
// Retry the list buckets operation until it succeeds. InvalidAccessKeyId is
// thrown while the user and access keys are still stabilizing.
await retry({ intervalInMs: 1000, maxRetries: 300 }, async () => {
try {
return await listBuckets(s3Client);
} catch (err) {
if (err instanceof Error && err.name === "InvalidAccessKeyId") {
throw err;
}
}
});
// Retry the create role operation until it succeeds. A MalformedPolicyDocument error
// is thrown while the user and access keys are still stabilizing.
const { Role } = await retry(
{
intervalInMs: 2000,
maxRetries: 60,
},
() =>
iamClient.send(
new CreateRoleCommand({
AssumeRolePolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Principal: {
// Allow the previously created user to assume this role.
AWS: User.Arn,
},
Action: "sts:AssumeRole",
},
],
}),
RoleName: roleName,
}),
),
);
if (!Role) {
throw new Error("Role not created");
}
// Create a policy that allows the user to list S3 buckets.
const { Policy: listBucketPolicy } = await iamClient.send(
new CreatePolicyCommand({
PolicyDocument: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Effect: "Allow",
Action: ["s3:ListAllMyBuckets"],
Resource: "*",
},
],
}),
PolicyName: policyName,
}),
);
if (!listBucketPolicy) {
throw new Error("Policy not created");
}
// Attach the policy granting the 's3:ListAllMyBuckets' action to the role.
await iamClient.send(
new AttachRolePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
RoleName: Role.RoleName,
}),
);
// Assume the role.
const stsClient = new STSClient({
credentials: {
accessKeyId: AccessKeyId,
secretAccessKey: SecretAccessKey,
},
});
// Retry the assume role operation until it succeeds.
const { Credentials } = await retry(
{ intervalInMs: 2000, maxRetries: 60 },
() =>
stsClient.send(
new AssumeRoleCommand({
RoleArn: Role.Arn,
RoleSessionName: `iamBasicScenarioSession-${Math.floor(
Math.random() * 1000000,
)}`,
DurationSeconds: 900,
}),
),
);
if (!Credentials?.AccessKeyId || !Credentials?.SecretAccessKey) {
throw new Error("Credentials not created");
}
s3Client = new S3Client({
credentials: {
accessKeyId: Credentials.AccessKeyId,
secretAccessKey: Credentials.SecretAccessKey,
sessionToken: Credentials.SessionToken,
},
});
// List the S3 buckets again.
// Retry the list buckets operation until it succeeds. AccessDenied might
// be thrown while the role policy is still stabilizing.
await retry({ intervalInMs: 2000, maxRetries: 120 }, () =>
listBuckets(s3Client),
);
// Clean up.
await iamClient.send(
new DetachRolePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
RoleName: Role.RoleName,
}),
);
await iamClient.send(
new DeletePolicyCommand({
PolicyArn: listBucketPolicy.Arn,
}),
);
await iamClient.send(
new DeleteRoleCommand({
RoleName: Role.RoleName,
}),
);
await iamClient.send(
new DeleteAccessKeyCommand({
UserName: userName,
AccessKeyId,
}),
);
await iamClient.send(
new DeleteUserCommand({
UserName: userName,
}),
);
};
/**
*
* @param {S3Client} s3Client
*/
const listBuckets = async (s3Client) => {
const { Buckets } = await s3Client.send(new ListBucketsCommand({}));
if (!Buckets) {
throw new Error("Buckets not listed");
}
console.log(Buckets.map((bucket) => bucket.Name).join("\n"));
};
```
+ For API details, see the following topics in *AWS SDK for JavaScript API Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/AttachRolePolicyCommand)
+ [CreateAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateAccessKeyCommand)
+ [CreatePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreatePolicyCommand)
+ [CreateRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateRoleCommand)
+ [CreateUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateUserCommand)
+ [DeleteAccessKey](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteAccessKeyCommand)
+ [DeletePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeletePolicyCommand)
+ [DeleteRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteRoleCommand)
+ [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserCommand)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DeleteUserPolicyCommand)
+ [DetachRolePolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/DetachRolePolicyCommand)
+ [PutUserPolicy](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/PutUserPolicyCommand)
------
#### [ Kotlin ]
**SDK for Kotlin**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/iam#code-examples).
Create functions that wrap IAM user actions.
```
suspend fun main(args: Array) {
val usage = """
Usage:
Where:
username - The name of the IAM user to create.
policyName - The name of the policy to create.
roleName - The name of the role to create.
roleSessionName - The name of the session required for the assumeRole operation.
fileLocation - The file location to the JSON required to create the role (see Readme).
bucketName - The name of the Amazon S3 bucket from which objects are read.
"""
if (args.size != 6) {
println(usage)
exitProcess(1)
}
val userName = args[0]
val policyName = args[1]
val roleName = args[2]
val roleSessionName = args[3]
val fileLocation = args[4]
val bucketName = args[5]
createUser(userName)
println("$userName was successfully created.")
val polArn = createPolicy(policyName)
println("The policy $polArn was successfully created.")
val roleArn = createRole(roleName, fileLocation)
println("$roleArn was successfully created.")
attachRolePolicy(roleName, polArn)
println("*** Wait for 1 MIN so the resource is available.")
delay(60000)
assumeGivenRole(roleArn, roleSessionName, bucketName)
println("*** Getting ready to delete the AWS resources.")
deleteRole(roleName, polArn)
deleteUser(userName)
println("This IAM Scenario has successfully completed.")
}
suspend fun createUser(usernameVal: String?): String? {
val request =
CreateUserRequest {
userName = usernameVal
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createUser(request)
return response.user?.userName
}
}
suspend fun createPolicy(policyNameVal: String?): String {
val policyDocumentValue = """
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "*"
}
]
}
""".trimIndent()
val request =
CreatePolicyRequest {
policyName = policyNameVal
policyDocument = policyDocumentValue
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createPolicy(request)
return response.policy?.arn.toString()
}
}
suspend fun createRole(
rolenameVal: String?,
fileLocation: String?,
): String? {
val jsonObject = fileLocation?.let { readJsonSimpleDemo(it) } as JSONObject
val request =
CreateRoleRequest {
roleName = rolenameVal
assumeRolePolicyDocument = jsonObject.toJSONString()
description = "Created using the AWS SDK for Kotlin"
}
IamClient { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.createRole(request)
return response.role?.arn
}
}
suspend fun attachRolePolicy(
roleNameVal: String,
policyArnVal: String,
) {
val request =
ListAttachedRolePoliciesRequest {
roleName = roleNameVal
}
IamClient.fromEnvironment { region = "AWS_GLOBAL" }.use { iamClient ->
val response = iamClient.listAttachedRolePolicies(request)
val attachedPolicies = response.attachedPolicies
// Ensure that the policy is not attached to this role.
val checkStatus: Int
if (attachedPolicies != null) {
checkStatus = checkMyList(attachedPolicies, policyArnVal)
if (checkStatus == -1) {
return
}
}
val policyRequest =
AttachRolePolicyRequest {
roleName = roleNameVal
policyArn = policyArnVal
}
iamClient.attachRolePolicy(policyRequest)
println("Successfully attached policy $policyArnVal to role $roleNameVal")
}
}
fun checkMyList(
attachedPolicies: List,
policyArnVal: String,
): Int {
for (policy in attachedPolicies) {
val polArn = policy.policyArn.toString()
if (polArn.compareTo(policyArnVal) == 0) {
println("The policy is already attached to this role.")
return -1
}
}
return 0
}
suspend fun assumeGivenRole(
roleArnVal: String?,
roleSessionNameVal: String?,
bucketName: String,
) {
val stsClient = StsClient.fromEnvironment { region = "us-east-1" }
val roleRequest =
AssumeRoleRequest {
roleArn = roleArnVal
roleSessionName = roleSessionNameVal
}
val roleResponse = stsClient.assumeRole(roleRequest)
val myCreds = roleResponse.credentials
val key = myCreds?.accessKeyId
val secKey = myCreds?.secretAccessKey
val secToken = myCreds?.sessionToken
val staticCredentials = StaticCredentialsProvider {
accessKeyId = key
secretAccessKey = secKey
sessionToken = secToken
}
// List all objects in an Amazon S3 bucket using the temp creds.
val s3 = S3Client.fromEnvironment {
region = "us-east-1"
credentialsProvider = staticCredentials
}
println("Created a S3Client using temp credentials.")
println("Listing objects in $bucketName")
val listObjects =
ListObjectsRequest {
bucket = bucketName
}
val response = s3.listObjects(listObjects)
response.contents?.forEach { myObject ->
println("The name of the key is ${myObject.key}")
println("The owner is ${myObject.owner}")
}
}
suspend fun deleteRole(
roleNameVal: String,
polArn: String,
) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
// First the policy needs to be detached.
val rolePolicyRequest =
DetachRolePolicyRequest {
policyArn = polArn
roleName = roleNameVal
}
iam.detachRolePolicy(rolePolicyRequest)
// Delete the policy.
val request =
DeletePolicyRequest {
policyArn = polArn
}
iam.deletePolicy(request)
println("*** Successfully deleted $polArn")
// Delete the role.
val roleRequest =
DeleteRoleRequest {
roleName = roleNameVal
}
iam.deleteRole(roleRequest)
println("*** Successfully deleted $roleNameVal")
}
suspend fun deleteUser(userNameVal: String) {
val iam = IamClient.fromEnvironment { region = "AWS_GLOBAL" }
val request =
DeleteUserRequest {
userName = userNameVal
}
iam.deleteUser(request)
println("*** Successfully deleted $userNameVal")
}
@Throws(java.lang.Exception::class)
fun readJsonSimpleDemo(filename: String): Any? {
val reader = FileReader(filename)
val jsonParser = JSONParser()
return jsonParser.parse(reader)
}
```
+ For API details, see the following topics in *AWS SDK for Kotlin API reference*.
+ [AttachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreatePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [CreateUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteAccessKey](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeletePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteRole](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DeleteUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [DetachRolePolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [PutUserPolicy](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
------
#### [ PHP ]
**SDK for PHP**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/php/example_code/iam#code-examples).
```
namespace Iam\Basics;
require 'vendor/autoload.php';
use Aws\Credentials\Credentials;
use Aws\S3\Exception\S3Exception;
use Aws\S3\S3Client;
use Aws\Sts\StsClient;
use Iam\IAMService;
echo("\n");
echo("--------------------------------------\n");
print("Welcome to the IAM getting started demo using PHP!\n");
echo("--------------------------------------\n");
$uuid = uniqid();
$service = new IAMService();
$user = $service->createUser("iam_demo_user_$uuid");
echo "Created user with the arn: {$user['Arn']}\n";
$key = $service->createAccessKey($user['UserName']);
$assumeRolePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{$user['Arn']}\"},
\"Action\": \"sts:AssumeRole\"
}]
}";
$assumeRoleRole = $service->createRole("iam_demo_role_$uuid", $assumeRolePolicyDocument);
echo "Created role: {$assumeRoleRole['RoleName']}\n";
$listAllBucketsPolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}";
$listAllBucketsPolicy = $service->createPolicy("iam_demo_policy_$uuid", $listAllBucketsPolicyDocument);
echo "Created policy: {$listAllBucketsPolicy['PolicyName']}\n";
$service->attachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']);
$inlinePolicyDocument = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"{$assumeRoleRole['Arn']}\"}]
}";
$inlinePolicy = $service->createUserPolicy("iam_demo_inline_policy_$uuid", $inlinePolicyDocument, $user['UserName']);
//First, fail to list the buckets with the user
$credentials = new Credentials($key['AccessKeyId'], $key['SecretAccessKey']);
$s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]);
try {
$s3Client->listBuckets([
]);
echo "this should not run";
} catch (S3Exception $exception) {
echo "successfully failed!\n";
}
$stsClient = new StsClient(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $credentials]);
sleep(10);
$assumedRole = $stsClient->assumeRole([
'RoleArn' => $assumeRoleRole['Arn'],
'RoleSessionName' => "DemoAssumeRoleSession_$uuid",
]);
$assumedCredentials = [
'key' => $assumedRole['Credentials']['AccessKeyId'],
'secret' => $assumedRole['Credentials']['SecretAccessKey'],
'token' => $assumedRole['Credentials']['SessionToken'],
];
$s3Client = new S3Client(['region' => 'us-west-2', 'version' => 'latest', 'credentials' => $assumedCredentials]);
try {
$s3Client->listBuckets([]);
echo "this should now run!\n";
} catch (S3Exception $exception) {
echo "this should now not fail\n";
}
$service->detachRolePolicy($assumeRoleRole['RoleName'], $listAllBucketsPolicy['Arn']);
$deletePolicy = $service->deletePolicy($listAllBucketsPolicy['Arn']);
echo "Delete policy: {$listAllBucketsPolicy['PolicyName']}\n";
$deletedRole = $service->deleteRole($assumeRoleRole['Arn']);
echo "Deleted role: {$assumeRoleRole['RoleName']}\n";
$deletedKey = $service->deleteAccessKey($key['AccessKeyId'], $user['UserName']);
$deletedUser = $service->deleteUser($user['UserName']);
echo "Delete user: {$user['UserName']}\n";
```
+ For API details, see the following topics in *AWS SDK for PHP API Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForPHPV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Python ]
**SDK for Python (Boto3)**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples).
Create an IAM user and a role that grants permission to list Amazon S3 buckets. The user has rights only to assume the role. After assuming the role, use temporary credentials to list buckets for the account.
```
import json
import sys
import time
from uuid import uuid4
import boto3
from botocore.exceptions import ClientError
def progress_bar(seconds):
"""Shows a simple progress bar in the command window."""
for _ in range(seconds):
time.sleep(1)
print(".", end="")
sys.stdout.flush()
print()
def setup(iam_resource):
"""
Creates a new user with no permissions.
Creates an access key pair for the user.
Creates a role with a policy that lets the user assume the role.
Creates a policy that allows listing Amazon S3 buckets.
Attaches the policy to the role.
Creates an inline policy for the user that lets the user assume the role.
:param iam_resource: A Boto3 AWS Identity and Access Management (IAM) resource
that has permissions to create users, roles, and policies
in the account.
:return: The newly created user, user key, and role.
"""
try:
user = iam_resource.create_user(UserName=f"demo-user-{uuid4()}")
print(f"Created user {user.name}.")
except ClientError as error:
print(
f"Couldn't create a user for the demo. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
user_key = user.create_access_key_pair()
print(f"Created access key pair for user.")
except ClientError as error:
print(
f"Couldn't create access keys for user {user.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
print(f"Wait for user to be ready.", end="")
progress_bar(10)
try:
role = iam_resource.create_role(
RoleName=f"demo-role-{uuid4()}",
AssumeRolePolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": user.arn},
"Action": "sts:AssumeRole",
}
],
}
),
)
print(f"Created role {role.name}.")
except ClientError as error:
print(
f"Couldn't create a role for the demo. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
policy = iam_resource.create_policy(
PolicyName=f"demo-policy-{uuid4()}",
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
}
],
}
),
)
role.attach_policy(PolicyArn=policy.arn)
print(f"Created policy {policy.policy_name} and attached it to the role.")
except ClientError as error:
print(
f"Couldn't create a policy and attach it to role {role.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
user.create_policy(
PolicyName=f"demo-user-policy-{uuid4()}",
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": role.arn,
}
],
}
),
)
print(
f"Created an inline policy for {user.name} that lets the user assume "
f"the role."
)
except ClientError as error:
print(
f"Couldn't create an inline policy for user {user.name}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
print("Give AWS time to propagate these new resources and connections.", end="")
progress_bar(10)
return user, user_key, role
def show_access_denied_without_role(user_key):
"""
Shows that listing buckets without first assuming the role is not allowed.
:param user_key: The key of the user created during setup. This user does not
have permission to list buckets in the account.
"""
print(f"Try to list buckets without first assuming the role.")
s3_denied_resource = boto3.resource(
"s3", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try:
for bucket in s3_denied_resource.buckets.all():
print(bucket.name)
raise RuntimeError("Expected to get AccessDenied error when listing buckets!")
except ClientError as error:
if error.response["Error"]["Code"] == "AccessDenied":
print("Attempt to list buckets with no permissions: AccessDenied.")
else:
raise
def list_buckets_from_assumed_role(user_key, assume_role_arn, session_name):
"""
Assumes a role that grants permission to list the Amazon S3 buckets in the account.
Uses the temporary credentials from the role to list the buckets that are owned
by the assumed role's account.
:param user_key: The access key of a user that has permission to assume the role.
:param assume_role_arn: The Amazon Resource Name (ARN) of the role that
grants access to list the other account's buckets.
:param session_name: The name of the STS session.
"""
sts_client = boto3.client(
"sts", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try:
response = sts_client.assume_role(
RoleArn=assume_role_arn, RoleSessionName=session_name
)
temp_credentials = response["Credentials"]
print(f"Assumed role {assume_role_arn} and got temporary credentials.")
except ClientError as error:
print(
f"Couldn't assume role {assume_role_arn}. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
# Create an S3 resource that can access the account with the temporary credentials.
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Listing buckets for the assumed role's account:")
try:
for bucket in s3_resource.buckets.all():
print(bucket.name)
except ClientError as error:
print(
f"Couldn't list buckets for the account. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
def teardown(user, role):
"""
Removes all resources created during setup.
:param user: The demo user.
:param role: The demo role.
"""
try:
for attached in role.attached_policies.all():
policy_name = attached.policy_name
role.detach_policy(PolicyArn=attached.arn)
attached.delete()
print(f"Detached and deleted {policy_name}.")
role.delete()
print(f"Deleted {role.name}.")
except ClientError as error:
print(
"Couldn't detach policy, delete policy, or delete role. Here's why: "
f"{error.response['Error']['Message']}"
)
raise
try:
for user_pol in user.policies.all():
user_pol.delete()
print("Deleted inline user policy.")
for key in user.access_keys.all():
key.delete()
print("Deleted user's access key.")
user.delete()
print(f"Deleted {user.name}.")
except ClientError as error:
print(
"Couldn't delete user policy or delete user. Here's why: "
f"{error.response['Error']['Message']}"
)
def usage_demo():
"""Drives the demonstration."""
print("-" * 88)
print(f"Welcome to the IAM create user and assume role demo.")
print("-" * 88)
iam_resource = boto3.resource("iam")
user = None
role = None
try:
user, user_key, role = setup(iam_resource)
print(f"Created {user.name} and {role.name}.")
show_access_denied_without_role(user_key)
list_buckets_from_assumed_role(user_key, role.arn, "AssumeRoleDemoSession")
except Exception:
print("Something went wrong!")
finally:
if user is not None and role is not None:
teardown(user, role)
print("Thanks for watching!")
if __name__ == "__main__":
usage_demo()
```
+ For API details, see the following topics in *AWS SDK for Python (Boto3) API Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/PutUserPolicy)
------
#### [ Ruby ]
**SDK for Ruby**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples).
Create an IAM user and a role that grants permission to list Amazon S3 buckets. The user has rights only to assume the role. After assuming the role, use temporary credentials to list buckets for the account.
```
# Wraps the scenario actions.
class ScenarioCreateUserAssumeRole
attr_reader :iam_client
# @param [Aws::IAM::Client] iam_client: The AWS IAM client.
def initialize(iam_client, logger: Logger.new($stdout))
@iam_client = iam_client
@logger = logger
end
# Waits for the specified number of seconds.
#
# @param duration [Integer] The number of seconds to wait.
def wait(duration)
puts('Give AWS time to propagate resources...')
sleep(duration)
end
# Creates a user.
#
# @param user_name [String] The name to give the user.
# @return [Aws::IAM::User] The newly created user.
def create_user(user_name)
user = @iam_client.create_user(user_name: user_name).user
@logger.info("Created demo user named #{user.user_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info('Tried and failed to create demo user.')
@logger.info("\t#{e.code}: #{e.message}")
@logger.info("\nCan't continue the demo without a user!")
raise
else
user
end
# Creates an access key for a user.
#
# @param user [Aws::IAM::User] The user that owns the key.
# @return [Aws::IAM::AccessKeyPair] The newly created access key.
def create_access_key_pair(user)
user_key = @iam_client.create_access_key(user_name: user.user_name).access_key
@logger.info("Created accesskey pair for user #{user.user_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create access keys for user #{user.user_name}.")
@logger.info("\t#{e.code}: #{e.message}")
raise
else
user_key
end
# Creates a role that can be assumed by a user.
#
# @param role_name [String] The name to give the role.
# @param user [Aws::IAM::User] The user who is granted permission to assume the role.
# @return [Aws::IAM::Role] The newly created role.
def create_role(role_name, user)
trust_policy = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Principal: { 'AWS': user.arn },
Action: 'sts:AssumeRole'
}]
}.to_json
role = @iam_client.create_role(
role_name: role_name,
assume_role_policy_document: trust_policy
).role
@logger.info("Created role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create a role for the demo. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
else
role
end
# Creates a policy that grants permission to list S3 buckets in the account, and
# then attaches the policy to a role.
#
# @param policy_name [String] The name to give the policy.
# @param role [Aws::IAM::Role] The role that the policy is attached to.
# @return [Aws::IAM::Policy] The newly created policy.
def create_and_attach_role_policy(policy_name, role)
policy_document = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Action: 's3:ListAllMyBuckets',
Resource: 'arn:aws:s3:::*'
}]
}.to_json
policy = @iam_client.create_policy(
policy_name: policy_name,
policy_document: policy_document
).policy
@iam_client.attach_role_policy(
role_name: role.role_name,
policy_arn: policy.arn
)
@logger.info("Created policy #{policy.policy_name} and attached it to role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create a policy and attach it to role #{role.role_name}. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Creates an inline policy for a user that lets the user assume a role.
#
# @param policy_name [String] The name to give the policy.
# @param user [Aws::IAM::User] The user that owns the policy.
# @param role [Aws::IAM::Role] The role that can be assumed.
# @return [Aws::IAM::UserPolicy] The newly created policy.
def create_user_policy(policy_name, user, role)
policy_document = {
Version: '2012-10-17',
Statement: [{
Effect: 'Allow',
Action: 'sts:AssumeRole',
Resource: role.arn
}]
}.to_json
@iam_client.put_user_policy(
user_name: user.user_name,
policy_name: policy_name,
policy_document: policy_document
)
puts("Created an inline policy for #{user.user_name} that lets the user assume role #{role.role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't create an inline policy for user #{user.user_name}. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Creates an Amazon S3 resource with specified credentials. This is separated into a
# factory function so that it can be mocked for unit testing.
#
# @param credentials [Aws::Credentials] The credentials used by the Amazon S3 resource.
def create_s3_resource(credentials)
Aws::S3::Resource.new(client: Aws::S3::Client.new(credentials: credentials))
end
# Lists the S3 buckets for the account, using the specified Amazon S3 resource.
# Because the resource uses credentials with limited access, it may not be able to
# list the S3 buckets.
#
# @param s3_resource [Aws::S3::Resource] An Amazon S3 resource.
def list_buckets(s3_resource)
count = 10
s3_resource.buckets.each do |bucket|
@logger.info "\t#{bucket.name}"
count -= 1
break if count.zero?
end
rescue Aws::Errors::ServiceError => e
if e.code == 'AccessDenied'
puts('Attempt to list buckets with no permissions: AccessDenied.')
else
@logger.info("Couldn't list buckets for the account. Here's why: ")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
end
# Creates an AWS Security Token Service (AWS STS) client with specified credentials.
# This is separated into a factory function so that it can be mocked for unit testing.
#
# @param key_id [String] The ID of the access key used by the STS client.
# @param key_secret [String] The secret part of the access key used by the STS client.
def create_sts_client(key_id, key_secret)
Aws::STS::Client.new(access_key_id: key_id, secret_access_key: key_secret)
end
# Gets temporary credentials that can be used to assume a role.
#
# @param role_arn [String] The ARN of the role that is assumed when these credentials
# are used.
# @param sts_client [AWS::STS::Client] An AWS STS client.
# @return [Aws::AssumeRoleCredentials] The credentials that can be used to assume the role.
def assume_role(role_arn, sts_client)
credentials = Aws::AssumeRoleCredentials.new(
client: sts_client,
role_arn: role_arn,
role_session_name: 'create-use-assume-role-scenario'
)
@logger.info("Assumed role '#{role_arn}', got temporary credentials.")
credentials
end
# Deletes a role. If the role has policies attached, they are detached and
# deleted before the role is deleted.
#
# @param role_name [String] The name of the role to delete.
def delete_role(role_name)
@iam_client.list_attached_role_policies(role_name: role_name).attached_policies.each do |policy|
@iam_client.detach_role_policy(role_name: role_name, policy_arn: policy.policy_arn)
@iam_client.delete_policy(policy_arn: policy.policy_arn)
@logger.info("Detached and deleted policy #{policy.policy_name}.")
end
@iam_client.delete_role({ role_name: role_name })
@logger.info("Role deleted: #{role_name}.")
rescue Aws::Errors::ServiceError => e
@logger.info("Couldn't detach policies and delete role #{role.name}. Here's why:")
@logger.info("\t#{e.code}: #{e.message}")
raise
end
# Deletes a user. If the user has inline policies or access keys, they are deleted
# before the user is deleted.
#
# @param user [Aws::IAM::User] The user to delete.
def delete_user(user_name)
user = @iam_client.list_access_keys(user_name: user_name).access_key_metadata
user.each do |key|
@iam_client.delete_access_key({ access_key_id: key.access_key_id, user_name: user_name })
@logger.info("Deleted access key #{key.access_key_id} for user '#{user_name}'.")
end
@iam_client.delete_user(user_name: user_name)
@logger.info("Deleted user '#{user_name}'.")
rescue Aws::IAM::Errors::ServiceError => e
@logger.error("Error deleting user '#{user_name}': #{e.message}")
end
end
# Runs the IAM create a user and assume a role scenario.
def run_scenario(scenario)
puts('-' * 88)
puts('Welcome to the IAM create a user and assume a role demo!')
puts('-' * 88)
user = scenario.create_user("doc-example-user-#{Random.uuid}")
user_key = scenario.create_access_key_pair(user)
scenario.wait(10)
role = scenario.create_role("doc-example-role-#{Random.uuid}", user)
scenario.create_and_attach_role_policy("doc-example-role-policy-#{Random.uuid}", role)
scenario.create_user_policy("doc-example-user-policy-#{Random.uuid}", user, role)
scenario.wait(10)
puts('Try to list buckets with credentials for a user who has no permissions.')
puts('Expect AccessDenied from this call.')
scenario.list_buckets(
scenario.create_s3_resource(Aws::Credentials.new(user_key.access_key_id, user_key.secret_access_key))
)
puts('Now, assume the role that grants permission.')
temp_credentials = scenario.assume_role(
role.arn, scenario.create_sts_client(user_key.access_key_id, user_key.secret_access_key)
)
puts('Here are your buckets:')
scenario.list_buckets(scenario.create_s3_resource(temp_credentials))
puts("Deleting role '#{role.role_name}' and attached policies.")
scenario.delete_role(role.role_name)
puts("Deleting user '#{user.user_name}', policies, and keys.")
scenario.delete_user(user.user_name)
puts('Thanks for watching!')
puts('-' * 88)
rescue Aws::Errors::ServiceError => e
puts('Something went wrong with the demo.')
puts("\t#{e.code}: #{e.message}")
end
run_scenario(ScenarioCreateUserAssumeRole.new(Aws::IAM::Client.new)) if $PROGRAM_NAME == __FILE__
```
+ For API details, see the following topics in *AWS SDK for Ruby API Reference*.
+ [AttachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/AttachRolePolicy)
+ [CreateAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateAccessKey)
+ [CreatePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreatePolicy)
+ [CreateRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateRole)
+ [CreateUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/CreateUser)
+ [DeleteAccessKey](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteAccessKey)
+ [DeletePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeletePolicy)
+ [DeleteRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteRole)
+ [DeleteUser](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUser)
+ [DeleteUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DeleteUserPolicy)
+ [DetachRolePolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/DetachRolePolicy)
+ [PutUserPolicy](https://docs.aws.amazon.com/goto/SdkForRubyV3/iam-2010-05-08/PutUserPolicy)
------
#### [ Rust ]
**SDK for Rust**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/iam#code-examples).
```
use aws_config::meta::region::RegionProviderChain;
use aws_sdk_iam::Error as iamError;
use aws_sdk_iam::{config::Credentials as iamCredentials, config::Region, Client as iamClient};
use aws_sdk_s3::Client as s3Client;
use aws_sdk_sts::Client as stsClient;
use tokio::time::{sleep, Duration};
use uuid::Uuid;
#[tokio::main]
async fn main() -> Result<(), iamError> {
let (client, uuid, list_all_buckets_policy_document, inline_policy_document) =
initialize_variables().await;
if let Err(e) = run_iam_operations(
client,
uuid,
list_all_buckets_policy_document,
inline_policy_document,
)
.await
{
println!("{:?}", e);
};
Ok(())
}
async fn initialize_variables() -> (iamClient, String, String, String) {
let region_provider = RegionProviderChain::first_try(Region::new("us-west-2"));
let shared_config = aws_config::from_env().region(region_provider).load().await;
let client = iamClient::new(&shared_config);
let uuid = Uuid::new_v4().to_string();
let list_all_buckets_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"s3:ListAllMyBuckets\",
\"Resource\": \"arn:aws:s3:::*\"}]
}"
.to_string();
let inline_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Action\": \"sts:AssumeRole\",
\"Resource\": \"{}\"}]
}"
.to_string();
(
client,
uuid,
list_all_buckets_policy_document,
inline_policy_document,
)
}
async fn run_iam_operations(
client: iamClient,
uuid: String,
list_all_buckets_policy_document: String,
inline_policy_document: String,
) -> Result<(), iamError> {
let user = iam_service::create_user(&client, &format!("{}{}", "iam_demo_user_", uuid)).await?;
println!("Created the user with the name: {}", user.user_name());
let key = iam_service::create_access_key(&client, user.user_name()).await?;
let assume_role_policy_document = "{
\"Version\": \"2012-10-17\",
\"Statement\": [{
\"Effect\": \"Allow\",
\"Principal\": {\"AWS\": \"{}\"},
\"Action\": \"sts:AssumeRole\"
}]
}"
.to_string()
.replace("{}", user.arn());
let assume_role_role = iam_service::create_role(
&client,
&format!("{}{}", "iam_demo_role_", uuid),
&assume_role_policy_document,
)
.await?;
println!("Created the role with the ARN: {}", assume_role_role.arn());
let list_all_buckets_policy = iam_service::create_policy(
&client,
&format!("{}{}", "iam_demo_policy_", uuid),
&list_all_buckets_policy_document,
)
.await?;
println!(
"Created policy: {}",
list_all_buckets_policy.policy_name.as_ref().unwrap()
);
let attach_role_policy_result =
iam_service::attach_role_policy(&client, &assume_role_role, &list_all_buckets_policy)
.await?;
println!(
"Attached the policy to the role: {:?}",
attach_role_policy_result
);
let inline_policy_name = format!("{}{}", "iam_demo_inline_policy_", uuid);
let inline_policy_document = inline_policy_document.replace("{}", assume_role_role.arn());
iam_service::create_user_policy(&client, &user, &inline_policy_name, &inline_policy_document)
.await?;
println!("Created inline policy.");
//First, fail to list the buckets with the user.
let creds = iamCredentials::from_keys(key.access_key_id(), key.secret_access_key(), None);
let fail_config = aws_config::from_env()
.credentials_provider(creds.clone())
.load()
.await;
println!("Fail config: {:?}", fail_config);
let fail_client: s3Client = s3Client::new(&fail_config);
match fail_client.list_buckets().send().await {
Ok(e) => {
println!("This should not run. {:?}", e);
}
Err(e) => {
println!("Successfully failed with error: {:?}", e)
}
}
let sts_config = aws_config::from_env()
.credentials_provider(creds.clone())
.load()
.await;
let sts_client: stsClient = stsClient::new(&sts_config);
sleep(Duration::from_secs(10)).await;
let assumed_role = sts_client
.assume_role()
.role_arn(assume_role_role.arn())
.role_session_name(format!("iam_demo_assumerole_session_{uuid}"))
.send()
.await;
println!("Assumed role: {:?}", assumed_role);
sleep(Duration::from_secs(10)).await;
let assumed_credentials = iamCredentials::from_keys(
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.access_key_id(),
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.secret_access_key(),
Some(
assumed_role
.as_ref()
.unwrap()
.credentials
.as_ref()
.unwrap()
.session_token
.clone(),
),
);
let succeed_config = aws_config::from_env()
.credentials_provider(assumed_credentials)
.load()
.await;
println!("succeed config: {:?}", succeed_config);
let succeed_client: s3Client = s3Client::new(&succeed_config);
sleep(Duration::from_secs(10)).await;
match succeed_client.list_buckets().send().await {
Ok(_) => {
println!("This should now run successfully.")
}
Err(e) => {
println!("This should not run. {:?}", e);
panic!()
}
}
//Clean up.
iam_service::detach_role_policy(
&client,
assume_role_role.role_name(),
list_all_buckets_policy.arn().unwrap_or_default(),
)
.await?;
iam_service::delete_policy(&client, list_all_buckets_policy).await?;
iam_service::delete_role(&client, &assume_role_role).await?;
println!("Deleted role {}", assume_role_role.role_name());
iam_service::delete_access_key(&client, &user, &key).await?;
println!("Deleted key for {}", key.user_name());
iam_service::delete_user_policy(&client, &user, &inline_policy_name).await?;
println!("Deleted inline user policy: {}", inline_policy_name);
iam_service::delete_user(&client, &user).await?;
println!("Deleted user {}", user.user_name());
Ok(())
}
```
+ For API details, see the following topics in *AWS SDK for Rust API reference*.
+ [AttachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.attach_role_policy)
+ [CreateAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_access_key)
+ [CreatePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_policy)
+ [CreateRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_role)
+ [CreateUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.create_user)
+ [DeleteAccessKey](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_access_key)
+ [DeletePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_policy)
+ [DeleteRole](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_role)
+ [DeleteUser](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user)
+ [DeleteUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.delete_user_policy)
+ [DetachRolePolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.detach_role_policy)
+ [PutUserPolicy](https://docs.rs/aws-sdk-iam/latest/aws_sdk_iam/client/struct.Client.html#method.put_user_policy)
------
# Use an IAM role to grant permissions to applications running on Amazon EC2 instances
Use roles for applications on Amazon EC2
Applications that run on an Amazon EC2 instance must include AWS credentials in the AWS API requests. You could have your developers store AWS credentials directly within the Amazon EC2 instance and allow applications in that instance to use those credentials. But developers would then have to manage the credentials and ensure that they securely pass the credentials to each instance and update each Amazon EC2 instance when it's time to update the credentials. That's a lot of additional work.
Instead, you can and should use an IAM role to manage *temporary* credentials for applications that run on an Amazon EC2 instance. When you use a role, you don't have to distribute long-term credentials (such as sign-in credentials or access keys) to an Amazon EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources. When you launch an Amazon EC2 instance, you specify an IAM role to associate with the instance. Applications that run on the instance can then use the role-supplied temporary credentials to sign API requests.
Using roles to grant permissions to applications that run on Amazon EC2 instances requires a bit of extra configuration. An application running on an Amazon EC2 instance is abstracted from AWS by the virtualized operating system. Because of this extra separation, you need an additional step to assign an AWS role and its associated permissions to an Amazon EC2 instance and make them available to its applications. This extra step is the creation of an *[instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html)* attached to the instance. The instance profile contains the role and can provide the role's temporary credentials to an application that runs on the instance. Those temporary credentials can then be used in the application's API calls to access resources and to limit access to only those resources that the role specifies.
**Note**
Only one role can be assigned to an Amazon EC2 instance at a time, and all applications on the instance share the same role and permissions. When you leverage Amazon ECS to manage your Amazon EC2 instances, you can assign roles to Amazon ECS tasks that can be distinguished from the role of the Amazon EC2 instance that it's running on. Assigning each task a role aligns with the principle of least privileged access and allows for greater granular control over actions and resources.
For more information, see [Using IAM roles with Amazon ECS tasks](https://docs.aws.amazon.com/AmazonECS/latest/bestpracticesguide/security-iam-roles.html) in the *Amazon Elastic Container Service Best Practices Guide*.
Using roles in this way has several benefits. Because role credentials are temporary and updated automatically, you don't have to manage credentials, and you don't have to worry about long-term security risks. In addition, if you use a single role for multiple instances, you can make a change to that one role and the change propagates automatically to all the instances.
**Note**
Although a role is usually assigned to an Amazon EC2 instance when you launch it, a role can also be attached to an Amazon EC2 instance currently running. To learn how to attach a role to a running instance, see [IAM Roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role).
**Topics**
+ [
## How do roles for Amazon EC2 instances work?
](#roles-usingrole-ec2instance-roles)
+ [
## Permissions required for using roles with Amazon EC2
](#roles-usingrole-ec2instance-permissions)
+ [
## How do I get started?
](#roles-usingrole-ec2instance-get-started)
+ [
## Related information
](#roles-usingrole-ec2instance-related-info)
## How do roles for Amazon EC2 instances work?
In the following figure, a developer runs an application on an Amazon EC2 instance that requires access to the S3 bucket named `amzn-s3-demo-bucket-photos`. An administrator creates the `Get-pics` service role and attaches the role to the Amazon EC2 instance. The role includes a permissions policy that grants read-only access to the specified S3 bucket. It also includes a trust policy that allows the Amazon EC2 instance to assume the role and retrieve the temporary credentials. When the application runs on the instance, it can use the role's temporary credentials to access the photos bucket. The administrator doesn't have to grant the developer permission to access the photos bucket, and the developer never has to share or manage credentials.
![\[Application on an Amazon EC2 instance accessing an AWS resource\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/roles-usingrole-ec2roleinstance.png)
1. The administrator uses IAM to create the **Get-pics** role. In the role's trust policy, the administrator specifies that only Amazon EC2 instances can assume the role. In the role's permission policy, the administrator specifies read-only permissions for the `amzn-s3-demo-bucket-photos` bucket.
1. A developer launches an Amazon EC2 instance and assigns the `Get-pics` role to that instance.
**Note**
If you use the IAM console, the instance profile is managed for you and is mostly transparent to you. However, if you use the AWS CLI or API to create and manage the role and Amazon EC2 instance, then you must create the instance profile and assign the role to it as separate steps. Then, when you launch the instance, you must specify the instance profile name instead of the role name.
1. When the application runs, it obtains temporary security credentials from Amazon EC2 [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html), as described in [Retrieving Security Credentials from Instance Metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials). These are [temporary security credentials](id_credentials_temp.md) that represent the role and are valid for a limited period of time.
With some [AWS SDKs](https://aws.amazon.com/tools/), the developer can use a provider that manages the temporary security credentials transparently. (The documentation for individual AWS SDKs describes the features supported by that SDK for managing credentials.)
Alternatively, the application can get the temporary credentials directly from the instance metadata of the Amazon EC2 instance. Credentials and related values are available from the `iam/security-credentials/role-name` category (in this case, `iam/security-credentials/Get-pics`) of the metadata. If the application gets the credentials from the instance metadata, it can cache the credentials.
1. Using the retrieved temporary credentials, the application accesses the photo bucket. Because of the policy attached to the **Get-pics** role, the application has read-only permissions.
The temporary security credentials available on the instance automatically update before they expire so that a valid set is always available. The application just needs to make sure that it gets a new set of credentials from the instance metadata before the current ones expire. It is possible to use the AWS SDK to manage credentials so the application does not need to include additional logic to refresh the credentials. For example, instantiating clients with Instance Profile Credential Providers. However, if the application gets temporary security credentials from the instance metadata and has cached them, it should get a refreshed set of credentials every hour, or at least 15 minutes before the current set expires. The expiration time is included in the information returned in the `iam/security-credentials/role-name` category.
## Permissions required for using roles with Amazon EC2
To launch an instance with a role, the developer must have permission to launch Amazon EC2 instances and permission to pass IAM roles.
The following sample policy allows users to use the AWS Management Console to launch an instance with a role. The policy includes wildcards (`*`) to allow a user to pass any role and to perform the listed Amazon EC2 actions. The `ListInstanceProfiles` action allows users to view all of the roles available in the AWS account.
**Example policy that grants a user permission to use the Amazon EC2 console to launch an instance with any role**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
},
{
"Sid": "ListEc2AndListInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"ec2:Describe*",
"ec2:Search*",
"ec2:Get*"
],
"Resource": "*"
}
]
}
```
### Restricting which roles can be passed to Amazon EC2 instances (using PassRole)
You can use the `PassRole` permission to restrict which role a user can pass to an Amazon EC2 instance when the user launches the instance. This helps prevent the user from running applications that have more permissions than the user has been granted—that is, from being able to obtain elevated privileges. For example, imagine that user Alice has permissions only to launch Amazon EC2 instances and to work with Amazon S3 buckets, but the role she passes to an Amazon EC2 instance has permissions to work with IAM and Amazon DynamoDB. In that case, Alice might be able to launch the instance, log into it, get temporary security credentials, and then perform IAM or DynamoDB actions that she's not authorized for.
To restrict which roles a user can pass to an Amazon EC2 instance, you create a policy that allows the `PassRole` action. You then attach the policy to the user (or to an IAM group that the user belongs to) who will launch Amazon EC2 instances. In the `Resource` element of the policy, you list the role or roles that the user is allowed to pass to Amazon EC2 instances. When the user launches an instance and associates a role with it, Amazon EC2 checks whether the user is allowed to pass that role. Of course, you should also ensure that the role that the user can pass does not include more permissions than the user is supposed to have.
**Note**
`PassRole` is not an API action in the same way that `RunInstances` or `ListInstanceProfiles` is. Instead, it's a permission that AWS checks whenever a role ARN is passed as a parameter to an API (or the console does this on the user's behalf). It helps an administrator to control which roles can be passed by which users. In this case, it ensures that the user is allowed to attach a specific role to an Amazon EC2 instance.
**Example policy that grants a user permission to launch an Amazon EC2 instance with a specific role**
The following sample policy allows users to use the Amazon EC2 API to launch an instance with a role. The `Resource` element specifies the Amazon Resource Name (ARN) of a role. By specifying the ARN, the policy grants the user the permission to pass only the `Get-pics` role. If the user tries to specify a different role when launching an instance, the action fails. The user does have permissions to run any instance, regardless of whether they pass a role.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/Get-pics"
}
]
}
```
### Allowing an instance profile role to switch to a role in another account
You can allow an application running on an Amazon EC2 instance to run commands in another account. To do this, you must allow the Amazon EC2 instance role in the first account to switch to a role in the second account.
Imagine that you are using two AWS accounts and you want to allow an application running on an Amazon EC2 instance to run [AWS CLI](https://aws.amazon.com/cli/) commands in both accounts. Assume that the Amazon EC2 instance exists in account `111111111111`. That instance includes the `abcd` instance profile role that allows the application to perform read-only Amazon S3 tasks on the `amzn-s3-demo-bucket1` bucket within the same `111111111111` account. However, the application must also be allowed to assume the `efgh` cross-account role to access the `amzn-s3-demo-bucket2` Amazon S3 bucket in account `222222222222`.
![\[The diagram shows how a developer launches an Amazon EC2 instance with the role to get access to photos in an Amazon S3 bucket.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/roles-instance-profile-cross-account.png)
The `abcd` Amazon EC2 instance profile role must have the following permissions policy to allow the application to access the `amzn-s3-demo-bucket1` Amazon S3 bucket:
***Account 111111111111 `abcd` Role Permissions Policy***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1/*",
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
},
{
"Sid": "AllowIPToAssumeCrossAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222222222:role/efgh"
}
]
}
```
------
The `abcd` role must trust the Amazon EC2 service to assume the role. To do this, the `abcd` role must have the following trust policy:
***Account 111111111111 `abcd` Role Trust Policy***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "abcdTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"}
}
]
}
```
------
Assume that the `efgh` cross-account role allows read-only Amazon S3 tasks on the `amzn-s3-demo-bucket2` bucket within the same `222222222222` account. To do this, the `efgh` cross-account role must have the following permissions policy:
***Account 222222222222 `efgh` Role Permissions Policy***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccountLevelS3Actions",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetAccountPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowListAndReadS3ActionOnMyBucket",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket2/*",
"arn:aws:s3:::amzn-s3-demo-bucket2"
]
}
]
}
```
------
The `efgh` role must trust the `abcd` instance profile role to assume it. To do this, the `efgh` role must have the following trust policy:
***Account 222222222222 `efgh` Role Trust Policy***
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "efghTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::111111111111:role/abcd"}
}
]
}
```
------
## How do I get started?
To understand how roles work with Amazon EC2 instances, you need to use the IAM console to create a role, launch an Amazon EC2 instance that uses that role, and then examine the running instance. You can examine the [instance metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) to see how the role's temporary credentials are made available to an instance. You can also see how an application that runs on an instance can use the role. Use the following resources to learn more.
+ [IAM Roles on Amazon EC2 Instances Tutorial](https://www.youtube.com/watch?v=TlCuOjviOhk). The linked video shows how to use an IAM role with an Amazon EC2 instance to control what an application can do when it runs on the instance. The video shows how the application (written in the AWS SDK) can get temporary security credentials through the role.
+ SDK walkthroughs. The AWS SDK documentation includes walkthroughs that show an application running on an Amazon EC2 instance that uses temporary credentials for roles to read an Amazon S3 bucket. Each of the following walkthroughs presents similar steps with a different programming language:
+ [Configure IAM Roles for Amazon EC2 with the SDK for Java](https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/java-dg-roles.html) in the *AWS SDK for Java Developer Guide*
+ [Launch an Amazon EC2 Instance using the SDK for .NET](https://docs.aws.amazon.com/sdk-for-net/latest/developer-guide/run-instance.html) in the *AWS SDK for .NET Developer Guide*
+ [Creating an Amazon EC2 Instance with the SDK for Ruby](https://docs.aws.amazon.com/sdk-for-ruby/latest/developer-guide/ec2-example-create-instance.html) in the *AWS SDK for Ruby Developer Guide*
## Related information
For more information about creating roles or roles for Amazon EC2 instances, see the following information:
+ For more information about [using IAM roles with Amazon EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html), go to the *Amazon EC2 User Guide*.
+ To create a role, see [IAM role creation](id_roles_create.md)
+ For more information about using temporary security credentials, see [Temporary security credentials in IAM](id_credentials_temp.md).
+ If you work with the IAM API or CLI, you must create and manage IAM instance profiles. For more information about instance profiles, see [Use instance profiles](id_roles_use_switch-role-ec2_instance-profiles.md).
+ For more information about temporary security credentials for roles in the instance metadata, see [Retrieving Security Credentials from Instance Metadata](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials) in the *Amazon EC2 User Guide*.
# Use instance profiles
Use an instance profile to pass an IAM role to an EC2 instance. For more information, see [IAM roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the *Amazon EC2 User Guide*.
## Managing instance profiles (console)
If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role. When you then use the Amazon EC2 console to launch an instance with an IAM role, you can select a role to associate with the instance. In the console, the list that's displayed is actually a list of instance profile names. The console does not create an instance profile for a role that is not associated with Amazon EC2.
You can use the AWS Management Console to delete IAM roles and instance profiles for Amazon EC2 if the role and the instance profile have the same name. To learn more about deleting instance profiles, see [Delete roles or instance profiles](id_roles_manage_delete.md).
**Note**
To update permissions for an instance, replace its instance profile. We do not recommend removing a role from an instance profile, because there is a delay of up to one hour before this change takes effect.
## Managing instance profiles (AWS CLI or AWS API)
If you manage your roles from the AWS CLI or the AWS API, you create roles and instance profiles as separate actions. Because roles and instance profiles can have different names, you must know the names of your instance profiles as well as the names of roles they contain. That way you can choose the correct instance profile when you launch an EC2 instance.
You can attach tags to your IAM resources, including instance profiles, to identify, organize, and control access to them. You can tag instance profiles only when you use the AWS CLI or AWS API.
**Note**
An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles. This limit of one role per instance profile cannot be increased. You can remove the existing role and then add a different role to an instance profile. You must then wait for the change to appear across all of AWS because of [eventual consistency](https://en.wikipedia.org/wiki/Eventual_consistency). To force the change, you must [disassociate the instance profile](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html) and then [associate the instance profile](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html), or you can stop your instance and then restart it.
### Managing instance profiles (AWS CLI)
You can use the following AWS CLI commands to work with instance profiles in an AWS account.
+ Create an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/create-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/create-instance-profile.html)
+ Tag an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/tag-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/tag-instance-profile.html)
+ List tags for an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profile-tags.html](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profile-tags.html)
+ Untag an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/untag-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/untag-instance-profile.html)
+ Add a role to an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/add-role-to-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/add-role-to-instance-profile.html)
+ List instance profiles: [https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles.html](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles.html), [https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles-for-role.html](https://docs.aws.amazon.com/cli/latest/reference/iam/list-instance-profiles-for-role.html)
+ Get information about an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/get-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-instance-profile.html)
+ Remove a role from an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/remove-role-from-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/remove-role-from-instance-profile.html)
+ Delete an instance profile: [https://docs.aws.amazon.com/cli/latest/reference/iam/delete-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-instance-profile.html)
You can also attach a role to an already running EC2 instance by using the following commands. For more information, see [IAM Roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role).
+ Attach an instance profile with a role to a stopped or running EC2 instance: [https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/associate-iam-instance-profile.html)
+ Get information about an instance profile attached to an EC2 instance: [https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-iam-instance-profile-associations.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-iam-instance-profile-associations.html)
+ Detach an instance profile with a role from a stopped or running EC2 instance: [https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html](https://docs.aws.amazon.com/cli/latest/reference/ec2/disassociate-iam-instance-profile.html)
### Managing instance profiles (AWS API)
You can call the following AWS API operations to work with instance profiles in an AWS account.
+ Create an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateInstanceProfile.html)
+ Tag an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html)
+ List tags on an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html)
+ Untag an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_TagInstanceProfile.html)
+ Add a role to an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html)
+ List instance profiles: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfiles.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfiles.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfilesForRole.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListInstanceProfilesForRole.html)
+ Get information about an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetInstanceProfile.html)
+ Remove a role from an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveRoleFromInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveRoleFromInstanceProfile.html)
+ Delete an instance profile: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteInstanceProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteInstanceProfile.html)
You can also attach a role to an already running EC2 instance by calling the following operations. For more information, see [IAM Roles for Amazon EC2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#attach-iam-role).
+ Attach an instance profile with a role to a stopped or running EC2 instance: [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AssociateIamInstanceProfile.html)
+ Get information about an instance profile attached to an EC2 instance: [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIamInstanceProfileAssociations.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeIamInstanceProfileAssociations.html)
+ Detach an instance profile with a role from a stopped or running EC2 instance: [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateIamInstanceProfile.html)