I have a fair level of understanding about the relationship between AWS IAM policy, role, user, and group. I have also implemented the concept of assumed-role and the trusted and trusting account association. You can read more about that at –Creating IAM assume-role relationship between two AWS accounts. So, when I heard of EC2s being able to assume a role, I was intrigued. Why would I want a virtual machine to assume a role? What is the use case? I did not have to wait too long. I came across two such use cases where I required just that.
Before I explored it, the concept was -assign a set of permissions to an EC2 instance to carry out a specific set of activities. Hence I created an AWS IAM policy file with a set of permissions/rules and assigned it to an AWS IAM role, which was then associated with an IAM instance profile that was then assumed by an EC2 instance. The EC2 instance was then able to perform a set of actions listed in the AWS IAM policy file. If you are new to this concept, please refer to the AWS-Docs link.
I applied the nuances of this concept on a use case I was working on earlier where I created an AWS EC2 instance in a VPC using Terraform. You can find the code at: add-iam-role
I classified this process into five easy steps.
Step 1: Create a policy file
The policy file is the blueprint of a list of actions and AWS resources on which an entity can apply those actions. Hence, any entity that is associated with a policy acquires the capability mentioned in the policy file. In this case, the entity has two sets of permissions: (i) the ability to read the parameters mentioned in the parameter store
parameter/dev, and (ii) the ability to list and download the objects in the bucket and folder
Step 2: Create a role that can be assumed by an EC2 instance
A role has two policies: (i) trust policy: which specifies who or what can assume the role, and (ii) permission policy: which specifies which actions are available and on which AWS resources. Below is an image of a trust policy associated with a role. The permission policy is inherited from the AWS IAM policy file (Step 1) once associated with the AWS IAM role.
Step 3: Attach the role to the policy file
By attaching the policy to the IAM role, I extended whatever entity assumes this role with the permissions listed under the policy (step 1). Therefore, this is the permission policy of the IAM role.
Step 4: Create an instance profile
IAM instance profile is the entity that allows IAM role attachment with an EC2 instance. Conceptually, an instance profile acts like a vessel that contains only one IAM role that an EC2 instance can assume.
Step 5: Attach the instance profile to the EC2 instance
Finally, the IAM instance profile that carries the IAM role is attached to the AWS EC2 instance. The EC2 instance then inherits the permission policy associated with the IAM role (step 3), which the IAM role inherited from the attached IAM policy (step 1).
After making all these changes, I executed the
terraform apply command, and it ran successfully. Then, I confirmed that the EC2 instance had the appropriate IAM role attached on the AWS console.
Generally, attaching an AWS IAM role to an EC2 instance is part of a more extensive use case. In my case, I required a secure approach towards accessing sensitive credentials and attaching an AWS IAM role with that capability to an EC2 instance addressed that.
I hope you found this note useful. I would be happy to answer any questions that you might have. Please use the comments section for the same.