Amazon AWS AssumeRole Support

AWS Accounts and Role Trust Policy

To assume a role, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate access to this account's role.

The user who wants to access the role must also have permissions delegated from the role's administrator. If the user is in a different account than the role, then the user's administrator must attach a policy that allows the user to call AssumeRole on the Amazon Resource Name (ARN) of the role in the other account. If the user is in the same account as the role, then you can either attach a policy to the user (identical to the previous different account user), or you can add the user as a principal directly in the role's trust policy.

AWS AssumeRole API

The Amazon AWS AssumeRole API returns a set of temporary security credentials that you can use for cross-account access to AWS resources you might not normally have access to. To configure Cross-Account Access for Amazon AWS Cloud devices in SecureTrack, see Adding Amazon AWS Cloud Platform. For more information about the AWS AssumeRole API, see http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html (AWS Documentation » AWS Security Token Service » API Reference » Actions » AssumeRole).

The following required and optional parameters are used for SecureTrack Cross-Account Access, via the AssumeRole API:

Parameter	Description	Status
RoleArn	The Amazon Resource Name (ARN) of the role to assume. Example: arn:aws:iam::006751140943:role/AssumRoleAdmin	required
RoleSessionName	An identifier for the assumed role session. Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role	required
DurationSeconds	Duration of the role session. in seconds: 900 s - 3600 s (15 minutes - 1 hour). Default: 3600 s	optional

AWS Temporary Security Credentials

• The temporary security credentials are valid for the duration that you specify when you call AssumeRole.
• You must use credentials for an AWS Identity and an Access Management (IAM) user or an IAM role to call AssumeRole.

  If you call AssumeRole using the AWS root account credentials, you will receive an access is denied message.

• Optionally, you can pass an IAM access policy to this operation.

  If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed.

• It is possible to activate/deactivate the AWS security token service (STS) in an aws region, as follows:

  AWSSecurityTokenServiceClient stsClient = new 
  AWSSecurityTokenServiceClient();
  
  stsClient.setEndpoint("sts.eu-west-1.amazonaws.com");

• Do not use the setRegion method to set a regional endpoint for AWS STS: For backward compatibility, that method continues to resolve to the original single global endpoint of sts.amazonaws.com.

For more information, see http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

Additional Links

• AWS official description of the AssumeRole procedure: https://aws.amazon.com/blogs/aws/delegating-api-access-to-aws-services-using-iam-roles/ (Delegating API Access to AWS Services Using IAM Roles)

• AssumeRole API parameters details: http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html (AWS Documentation » AWS Security Token Service » API Reference » Actions » AssumeRole)

• Scenarios for Temporary Security Credentials http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction (AWS Documentation » AWS Identity and Access Management » User Guide » Identities (Users, Groups, and Roles) » Temporary Security Credentials » Common Scenarios for Temporary Credentials)