Amazon AWS AssumeRole Support

AWS Accounts and Role Trust Policy

To assume a role, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate access to this account's role.

The user who wants to access the role must also have permissions delegated from the role's administrator. If the user is in a different account than the role, then the user's administrator must attach a policy that allows the user to call AssumeRole on the Amazon Resource Name (ARN) of the role in the other account. If the user is in the same account as the role, then you can either attach a policy to the user (identical to the previous different account user), or you can add the user as a principal directly in the role's trust policy.

AWS AssumeRole API

The Amazon AWS AssumeRole API returns a set of temporary security credentials that you can use for cross-account access to AWS resources you might not normally have access to. To configure Cross-Account Access for Amazon AWS Cloud devices in SecureTrack, see Adding Amazon AWS Cloud Platform. For more information about the AWS AssumeRole API, see http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html (AWS Documentation » AWS Security Token Service » API Reference » Actions » AssumeRole).

The following required and optional parameters are used for SecureTrack Cross-Account Access, via the AssumeRole API:

Parameter	Description	Status
RoleArn	The Amazon Resource Name (ARN) of the role to assume. Example: arn:aws:iam::006751140943:role/AssumRoleAdmin	required
RoleSessionName	An identifier for the assumed role session. Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role	required
DurationSeconds	Duration of the role session. in seconds: 900 s - 3600 s (15 minutes - 1 hour). Default: 3600 s	optional
ExternalID	A unique identifier that is used by third parties when assuming roles in their customers' accounts. For each role that the third party can assume, they should instruct their customers to ensure the role's trust policy checks for the external ID that the third party generated. Each time the third party assumes the role, they should pass the customer's external ID. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html	optional
SerialNumber	The identification number of the MFA device that is associated with the user who is making the AssumeRole call. Specify this value if the trust policy of the role being assumed includes a condition that requires MFA authentication. The value is either the serial number for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).	optional
TokenCode	The value provided by the MFA device, if the trust policy of the role being assumed requires MFA (that is, if the policy includes a condition that tests for MFA). If the role being assumed requires MFA and if the TokenCode value is missing or expired, the AssumeRole call returns an "access denied" error.	optional

AWS Temporary Security Credentials

• The temporary security credentials are valid for the duration that you specify when you call AssumeRole.
• You must use credentials for an AWS Identity and an Access Management (IAM) user or an IAM role to call AssumeRole.

  If you call AssumeRole using the AWS root account credentials, you will receive an access is denied message.

• Optionally, you can pass an IAM access policy to this operation.

  If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed.

• It is possible to activate/deactivate the AWS security token service (STS) in an aws region, as follows:

  AWSSecurityTokenServiceClient stsClient = new 
  AWSSecurityTokenServiceClient();
  
  stsClient.setEndpoint("sts.eu-west-1.amazonaws.com");

• Do not use the setRegion method to set a regional endpoint for AWS STS: For backward compatibility, that method continues to resolve to the original single global endpoint of sts.amazonaws.com.

For more information, see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

Additional Links

• AWS official description of the AssumeRole procedure: https://aws.amazon.com/blogs/aws/delegating-api-access-to-aws-services-using-iam-roles/ (Delegating API Access to AWS Services Using IAM Roles)

• AssumeRole API parameters details: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html (AWS Documentation » AWS Security Token Service » API Reference » Actions » AssumeRole)

• Scenarios for Temporary Security Credentials http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction (AWS Documentation » AWS Identity and Access Management » User Guide » Identities (Users, Groups, and Roles) » Temporary Security Credentials » Common Scenarios for Temporary Credentials)