This content originally appeared on DEV Community and was authored by JosephHonpah
DEMO GUIDE TO AWS ROLE: AWS SECURITY TOKEN SERVICE (STS) Assume Role.
7 hours ago
🔑 What is Assume Role?
AWS STS Assume Role allows you to grant temporary, limited-privilege credentials to users or applications. This is especially useful for scenarios like granting EC2 instances access to AWS resources without hard coding long-term credentials.
💡 Why Use Assume Role for EC2 Access?
1️⃣Enhanced Security: Avoid storing long-term credentials on your instances.
2️⃣Granular Permissions: Assign only the permissions needed for specific tasks.
3️⃣Auditability: Track and monitor temporary credentials for better compliance.
✍🏾In this Demo you want your management account to grant ONLY short term credentials for EC2 access to your newly created IAM user, to perform actions on EC2 console.
📝Prerequisite for this Demo.
1️⃣Two AWS IAM user accounts created by navigating to AWS MANAGEMENT CONSOLE
2️⃣Note pad for writing.
📈Cost for this Demo is zero $ unless you choose to spin up EC2 instances which may incur some charges or except you’re in Free Tier.
1️⃣ Creating a new IAM user just for demo, if you have one already set up you can skip this section.
- Navigate to the management console for the management account and search IAM and click on it.
- Go to users and click on the create user.
Give the IAM user name (Demo-STS), check on the Provide User access and check Create an IAM user box ☑️.
- Auto-generate password and leave everything as default, scroll down click next
- Leave everything as default and click next
- Review your details and scroll down click on create.
- Retrieve the details and save on the note pad for reference.
- On a new browser, copy and paste the console sign-in details and sign in to the newly created IAM user with the details collected above.
- Once you’re signed into the new user (Demo-STS user), navigate to the EC2 console and you would have no permissions granted for the account.
2️⃣ Creating STS Assume Role and adding EC2 permissions to that Role for the newly created account to use EC2 service.
- Back on the management account, in the IAM console click on Roles and create role.
- Click on check box ☑️ Trusted entity AWS account and This account, Scroll down and click next.
- Add permissions by searching for AmazonEC2FullAccess. Once selected, scroll down and click next.
- Give Role name (EC2-Full-Access-STS), Review and scroll down to create.
- Still in the management account, click Roles and click on the role just created above to retrieve Role ARN and Link to switch roles to console which will be used in the next part of this Demo.
- Click on the new IAM user (Demo-STS) created. Click on add permissions drop down and create inline policy.
- Click on JSON and edit the action to “STSAssumeRole”, and Resource should be the ARN of the role created above “(EC2-Full-AccessSTS)” Scroll down and click next.
- Give the policy name (EC2-Full-Access-STS) review, scroll down and click create policy.
- To confirm that after the inline policy is created, it does not give EC2 access to the new IAM user (Demo-STS) yet.
- You have to do that by navigating to roles in the management account, click on the role created(EC2-Full-AccessSTS) Copy and paste the “Link switch roles in console” to a new browser and press enter.
3️⃣ Checking if Assume Role is established and can be used by the new IAM user (Demo-STS).
- Sign in using the Link switch roles in console in a new browser and with the new IAM user (Demo-STS) and click on Switch Role.
- You can see the new IAM user (Demo-STS) now has full access ONLY to EC2 services.
- Try checking for an S3 bucket with the same user and you will see it has no access to S3 services. Says Access Denied, because we did not attach the S3accesspolicy to the IAM role of the management account.
- Select the drop down and click on sign out current account
- Now you are back to original permissions for Demo-STS which has no access to EC2.
4️⃣ Cleaning up your environment.
- First click on Roles and delete the role (EC2-FULL-ACCESSSTS). Next click on Users and delete the newly created IAM user (Demo-STS).
🥳👏🏾Well done, we just did an STS ASSUME ROLE and if you like my content please like, share and comment what you think about STS and what you like to see next content, your understanding is my priority 💟
awscommunitybuilder #AWS #STSAssumeRole #ContinuesLearning
🔗 LinkedIn: https://www.linkedin.com/in/joseph-ndambombi-honpah-2044b5277
Joseph Ndambombi Honpah 😊
This content originally appeared on DEV Community and was authored by JosephHonpah
JosephHonpah | Sciencx (2025-03-08T14:46:52+00:00) HANDS ON GUIDE TO AWS ROLE AND PERMISSIONS (STS ASSUME ROLE). Retrieved from https://www.scien.cx/2025/03/08/hands-on-guide-to-aws-role-and-permissions-sts-assume-role/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.