On This Page
Amazon AWS AssumeRole Support
AWS Accounts and Role Trust Policy
To assume a role, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate access to this account's role.
The user who wants to access the role must also have permissions delegated from the role's administrator. If the user is in a different account than the role, then the user's administrator must attach a policy that allows the user to call AssumeRole
on the Amazon Resource Name (ARN) of the role in the other account. If the user is in the same account as the role, then you can either attach a policy to the user (identical to the previous different account user), or you can add the user as a principal directly in the role's trust policy.
AWS AssumeRole
API
The Amazon AWS AssumeRole
API returns a set of temporary security credentials that you can use for cross-account access to AWS resources you might not normally have access to. To configure Cross-Account Access for Amazon AWS Cloud devices in SecureTrack, see Adding Amazon AWS Cloud Platform. For more information about the AWS AssumeRole
API, see http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html (AWS Documentation » AWS Security Token Service » API Reference » Actions » AssumeRole).
The following required and optional parameters are used for SecureTrack Cross-Account Access, via the AssumeRole
API:
Parameter |
Description |
Status |
---|---|---|
RoleArn |
The Amazon Resource Name (ARN) of the role to assume. Example: |
required |
RoleSessionName |
An identifier for the assumed role session. Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. |
required |
DurationSeconds |
Duration of the role session. in seconds: 900 s - 3600 s (15 minutes - 1 hour). Default: 3600 s |
optional |
ExternalID |
A unique identifier that is used by third parties when assuming roles in their customers' accounts. For each role that the third party can assume, they should instruct their customers to ensure the role's trust policy checks for the external ID that the third party generated. Each time the third party assumes the role, they should pass the customer's external ID. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html |
optional |
SerialNumber |
The identification number of the MFA device that is associated with the user who is making the |
optional |
TokenCode |
The value provided by the MFA device, if the trust policy of the role being assumed requires MFA (that is, if the policy includes a condition that tests for MFA). If the role being assumed requires MFA and if the TokenCode value is missing or expired, the |
optional |
AWS Temporary Security Credentials
- The temporary security credentials are valid for the duration that you specify when you call
AssumeRole
. - You must use credentials for an AWS Identity and an Access Management (IAM) user or an IAM role to call
AssumeRole
.If you call
AssumeRole
using the AWS root account credentials, you will receive an access is denied message. - Optionally, you can pass an IAM access policy to this operation.
If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed.
- It is possible to activate/deactivate the AWS security token service (STS) in an aws region, as follows:
AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient();
stsClient.setEndpoint("sts.eu-west-1.amazonaws.com");
- Do not use the
setRegion
method to set a regional endpoint for AWS STS: For backward compatibility, that method continues to resolve to the original single global endpoint of sts.amazonaws.com.
For more information, see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
Additional Links:
- AWS official description of the
AssumeRole
procedure: https://aws.amazon.com/blogs/aws/delegating-api-access-to-aws-services-using-iam-roles/ (Delegating API Access to AWS Services Using IAM Roles) AssumeRole
API parameters details: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html (AWS Documentation » AWS Security Token Service » API Reference » Actions » AssumeRole)- Scenarios for Temporary Security Credentials http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction (AWS Documentation » AWS Identity and Access Management » User Guide » Identities (Users, Groups, and Roles) » Temporary Security Credentials » Common Scenarios for Temporary Credentials)