Roles & Cross-Account

AssumeRole & Trust Policies

IAM Roles

Service Roles

For AWS services like EC2, Lambda, ECS

Cross-Account Roles

For access between different AWS accounts

Web Identity Roles

For federated users from identity providers

Trust Policies

// Trust Policy Example
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

AssumeRole Process

1

Request

User/Service calls AssumeRole API

2

Validate

Check trust policy permissions

3

Issue

Return temporary credentials

4

Access

Use credentials for API calls

Previous: Policies Deep Dive Next: Identity Federation