AWS CLI: Guide to Using IAM Roles

Table of Contents:

• Introduction
• Understanding IAM Roles
• Configuring the AWS CLI to use IAM Roles
• Assuming the IAM Role
• Additional Options & Considerations
• Conclusion
• Resources

Introduction

As organizations increasingly adopt cloud computing, the need for secure and efficient access management becomes paramount. One powerful tool in the AWS ecosystem is the use of IAM roles, which allow users to gain additional permissions or access resources in different AWS accounts. In this post, we will explore how to leverage IAM roles using the AWS CLI.

Understanding IAM Roles

An IAM role is an authorization mechanism that grants users or applications the ability to perform actions or access resources in AWS. By assuming an IAM role, a user can temporarily gain the permissions associated with that role, without the need to manage long-term access keys.

Configuring the AWS CLI to Use IAM Roles

The AWS CLI provides a straightforward way to configure and use IAM roles. As outlined in the AWS CLI User Guide[1], you can define a profile in the ~/.aws/config file that specifies the IAM role to be used.

Here’s an example configuration for a role named marketingadmin:

[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadmin
source_profile = user1

In this example, the AWS CLI will use the credentials defined in the user1 profile to assume the marketingadmin role. The user in the user1 profile must have the necessary permissions to call the sts:assume-role action for the marketingadmin role.

Assuming the IAM Role

Once the IAM role is configured, you can use the --profile option (or the AWS_PROFILE environment variable) to specify the role profile when running AWS CLI commands. For example:

aws ec2 describe-instances --profile marketingadmin

The AWS CLI will then use the temporary credentials obtained by assuming the marketingadmin role to perform the requested operation.

Additional Options & Considerations

When assuming an IAM role, you can also specify additional options, such as:

• Requiring multi-factor authentication (MFA)
• Providing an External ID (for third-party access)
• Specifying a unique role session name for better auditing

It’s important to ensure that the user in the source profile has the necessary permissions to assume the target role, and that the role has a trust relationship that allows the user to use it.

Conclusion

Leveraging IAM roles with the AWS CLI is a powerful way to manage access and permissions in your AWS environment. By configuring the CLI to use IAM roles, you can simplify credential management, improve security, and enable more granular control over your AWS resources. As your organization’s cloud footprint grows, understanding and utilizing IAM roles will be a key part of your AWS best practices.

Resources:

• [1] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
• [2] https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
• [3] https://repost.aws/knowledge-center/iam-assume-role-cli
• [4] https://docs.aws.amazon.com/cli/latest/reference/configure/