What is IAM Role Delegation?

What is IAM Role Delegation?

Delegation is the granting of permission to someone to allow access to access to resources that you control

  • Delegation involves setting up a trust between the account that owns the resource (the trusting account) and the account that contains the users that need to access the Resource (the trusted Account)

  • The trusted and trusting accounts can be any of the following

    1. The same account

    2. Two accounts that are both under your organization's control.

    3. Two accounts are owned by different organizations.

  • To delegate permission to access a resource, you create an IAM role that has 2 policies attached.

    1. Trust Policy

    2. Permission Policy

Note:- Both are in JSON format.

  • The trusted entity is included in the policy as the principal element in the document

  • When you create a trust policy, you can not specify the wildcard(*) as a principal.

Cross-Account Permissions

  • You might need to allow users from another AWS account to access resources in your AWS account. If so, don't share security credentials, such as access keys between accounts. Instead use IAM Roles.

  • You can define a role in the trusting account, that specifies what permissions the IAM users in the other account are allowed.

  • You can also designate which AWS account has the IAM users that are allowed to assume the role. We do not define users here, but rather AWS accounts.

A role for Cross-Account Access

  • Granting access to resources in one account to a trusted principal in a different account.

  • Roles are the primary way to grant cross-account access.

  • However, with some of the web services offered by AWS, you can attach a policy directly to a resource. These are called Resource-based policies. You can use them to grant principals in another AWS account access to the Resource.

The Following Services support Resource-based policy:-

  • Amazon S3

  • Amazon Simple Notification Service

  • Amazon Simple Queue Service

  • Amazon Glacier Vault

Did you find this article valuable?

Support DevOps and Cloud Computing by becoming a sponsor. Any amount is appreciated!