Create your first role - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create your first role

An IAM role is an identity within your Amazon Web Services account that has specific permissions. It is similar to an IAM user, but is not associated with a specific person. You can temporarily assume an IAM role in the Amazon Web Services Management Console by switching roles. You can assume a role by calling an Amazon CLI or Amazon API operation or by using a custom URL. For more information about methods for using roles, see Using IAM roles in the IAM User Guide.

IAM roles with temporary credentials are useful in the following situations:

  • Federated user access – To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Creating a role for a third-party Identity Provider in the IAM User Guide.

  • Temporary IAM user permissions – An IAM user or role can assume an IAM role to temporarily take on different permissions for a specific task.

  • Cross-account access – You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some Amazon Web Services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see Cross account resource access in IAM in the IAM User Guide.

  • Cross-service access – Some Amazon Web Services use features in other Amazon Web Services. For example, when you make a call in a service, it's common for that service to run applications in Amazon EC2 or store objects in Amazon S3. A service might do this using the calling principal's permissions, using a service role, or using a service-linked role.

    • Forward access sessions (FAS) – When you use an IAM user or role to perform actions in Amazon, you are considered a principal. When you use some services, you might perform an action that then initiates another action in a different service. FAS uses the permissions of the principal calling an Amazon Web Service, combined with the requesting Amazon Web Service to make requests to downstream services. FAS requests are only made when a service receives a request that requires interactions with other Amazon Web Services or resources to complete. In this case, you must have permissions to perform both actions. For policy details when making FAS requests, see Forward access sessions.

    • Service role – A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an Amazon Web Service in the IAM User Guide.

    • Service-linked role – A service-linked role is a type of service role that is linked to an Amazon Web Service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your Amazon Web Services account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

  • Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making Amazon CLI or Amazon API requests. This is preferable to storing access keys within the EC2 instance. To assign an Amazon role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.

To learn whether to use IAM roles or IAM users, see When to create an IAM role (instead of a user) in the IAM User Guide.

IAM roles are a secure way to grant permissions to entities you trust. An IAM role has some similarities to an IAM user. Roles and users are both principals with permissions policies that determine what the identity can and cannot do in Amazon. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role doesn't have long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Using roles helps you follow the IAM best practices.

Note

You can use Amazon Identity and Access Management Roles Anywhere to give access to machine identities. Using IAM Roles Anywhere means you don't need to manage long-term credentials for workloads running outside of Amazon. For more information, see What is Amazon Identity and Access Management Roles Anywhere? in the Amazon Identity and Access Management Roles Anywhere User Guide.

IAM Identity Center and other Amazon services automatically create roles for their services. If you are using IAM users, we recommend that you create roles for your users to assume when they sign-in. This will give them temporary permissions during the session instead of long-term permissions.

The Amazon Web Services Management Console wizard that guides you through the steps for creating a role displays slightly different steps depending on whether you're creating a role for an IAM user, Amazon service, or for a federated user. Regular access to Amazon Web Services accounts within an organization should be provided using federated access. If you are creating IAM users for specific purposes, such as emergency access or programmatic access, only grant those IAM users permission to assume a role and put those IAM users into role specific groups.

In this procedure, you create a role that provides SupportUser access for the EmergencyAccess IAM user. Before starting this procedure, copy the ARN of the IAM user to the clipboard.

To create a role for an IAM user

  1. Follow the sign-in procedure appropriate to your user type as described in the topic How to sign in to Amazon in the Amazon Sign-In User Guide.

  2. On the Console Home page, select the IAM service.

  3. In the navigation pane of the IAM console, choose Roles and then choose Create role.

  4. Choose Amazon Web Services account role type.

  5. In Select trusted entity, under Trusted entity type, choose Custom trust policy.

  6. In the Custom trust policy section, review the basic trust policy. This is the one we will use for this role. Use the Edit statement editor to update the trust policy:

    1. In Add actions for STS, select Assume Role.

    2. Next to Add a principal, select, Add. The Add principal window opens.

      Under Principal type, select IAM Users.

      Under ARN, paste the IAM user ARN you copied to the clipboard.

      Choose Add principal.

    3. Verify that the Principal line in the trust policy now contains the ARN you specified:

      "Principal": { "AWS": "arn:aws-cn:iam::123456789012:user/username" }

  7. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next.

  8. In Add permissions, select the checkbox next to the permissions policy to apply. For this tutorial we're going to select the SupportUser trust policy. You can then use this role to troubleshoot and resolve issues with the Amazon Web Services account and open support cases with Amazon. We aren't going to set a permissions boundary at this time.

  9. Choose Next.

  10. In Name, review, and create complete these settings:

    • For Role name, enter a name that identifies this role, such as SupportUserRole.

    • For Description, explain the intended use of the role.

    Because other Amazon resources might reference the role, you can't edit the name of the role later.

  11. Choose Create role.

    After creating the role, share the role information with the people who require the role. You can share the role information by:

    • Role link: Send users a link that takes them to the Switch Role page with all the details already filled in.

    • Account ID or alias: Provide each user with the role name along with the account ID number or account alias. The user then goes to the Switch Role page and adds the details manually.

    • Saving the role link information along with the EmergencyAccess user credentials.

    For details, see Providing information to the user.