FAQs on IAM Roles
Q: What is an IAM Role?
A: An IAM Role is an IAM identity that you can create in AWS. Roles have permissions policies that determine what the identity can and cannot do in AWS. Roles are used to delegate access to users, applications, or services that don't have long-term credentials (like a username and password or access keys).
Q: How is an IAM Role different from an IAM User?
A:
- IAM User: An entity that you create in AWS to represent the person or service that interacts with AWS. It has permanent long-term credentials.
- IAM Role: An entity that defines a set of permissions for making AWS service requests. Roles do not have long-term credentials. Instead, when you assume a role, it provides you with temporary security credentials.
Q: How do you create an IAM Role?
A: To create an IAM Role, you need to define a trust policy and one or more permission policies. Here is an example of how you can create an IAM Role using the AWS CLI:
aws iam create-role --role-name ExampleRole --assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'
Q: How do you attach a policy to an IAM Role?
A: After creating a role, you can attach a policy to it. Here is an example of attaching the AmazonS3ReadOnlyAccess policy to the role:
aws iam attach-role-policy --role-name ExampleRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Q: How do you assume an IAM Role?
A: To assume a role, you can use the AWS Security Token Service (STS). Here is an example using the AWS CLI to assume a role:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/ExampleRole --role-session-name ExampleSession
Q: How do you use temporary credentials from an assumed role?
A: Once you have assumed a role and obtained temporary credentials, you can use these credentials to access AWS services. Here is an example using Python with the boto3 library:
import boto3
# Assume the role and get temporary credentials
sts_client = boto3.client('sts')
response = sts_client.assume_role(
RoleArn='arn:aws:iam::123456789012:role/ExampleRole',
RoleSessionName='ExampleSession'
)
credentials = response['Credentials']
# Use the temporary credentials to create a new session
s3_client = boto3.client(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken']
)
# List S3 buckets
response = s3_client.list_buckets()
print('Buckets:', [bucket['Name'] for bucket in response['Buckets']])
Q: What are inline policies and managed policies?
A:
- Inline Policies: Policies that you create and manage within a single IAM role, user, or group.
- Managed Policies: Standalone policies that you can attach to multiple users, groups, and roles.
Example of creating an inline policy:
Here is an example of creating an inline policy directly attached to a role using the AWS CLI:
aws iam put-role-policy --role-name ExampleRole --policy-name ExamplePolicy --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example-bucket"
}
]
}'
Example of creating a managed policy:
Here is an example of creating a managed policy using the AWS CLI:
aws iam create-policy --policy-name ExampleManagedPolicy --policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example-bucket"
}
]
}'
Q: How do you revoke permissions from an IAM Role?
A: To revoke permissions from an IAM Role, you can detach policies or delete inline policies. Here is an example of detaching a managed policy:
aws iam detach-role-policy --role-name ExampleRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
And an example of deleting an inline policy:
aws iam delete-role-policy --role-name ExampleRole --policy-name ExamplePolicy
Important Interview Questions and Answers on IAM Roles
Q: What is an IAM Role, and how is it different from an IAM User?
An IAM Role is an AWS identity with specific permissions that determine what actions can be performed. Unlike an IAM User, a role does not have long-term credentials such as a password or access keys. Instead, roles are meant to be assumed by trusted entities such as users, applications, or AWS services, which are provided temporary security credentials.
Example Code:
{
"RoleName": "ExampleRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "An example role for EC2",
"MaxSessionDuration": 3600
}
Q: How do you create an IAM Role using AWS CLI?
You can create an IAM Role using the AWS CLI by defining the trust policy JSON file and using the create-role command.
Example Code:
aws iam create-role --role-name ExampleRole --assume-role-policy-document file://trust-policy.json
The trust-policy.json might look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Q: What is a trust policy in IAM, and how is it used?
A trust policy is a JSON policy document that defines which entities (like users, roles, or AWS services) can assume a role. It is specified when creating or updating an IAM role. The trust policy allows the role to be assumed by specified AWS accounts or services.
Q: Explain the difference between AssumeRole and GetSessionToken.
- AssumeRole is used to grant temporary access to AWS resources to users or services that do not normally have access. It returns temporary security credentials and is often used with roles.
- GetSessionToken is used to obtain temporary security credentials for IAM Users. These credentials can then be used to make authenticated requests to AWS services.
Q: How would you attach a policy to an IAM Role?
You can attach a policy to an IAM Role using the AWS Management Console, AWS CLI, or AWS SDKs. Here’s an example using the AWS CLI:
Example Code:
aws iam attach-role-policy --role-name ExampleRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Q: Describe a use case where you would use an IAM Role instead of an IAM User.
A common use case for using an IAM Role is when running applications on EC2 instances. Instead of embedding long-term AWS credentials in the instance, you can assign an IAM Role to the instance, allowing it to securely make API requests to other AWS services like S3 or DynamoDB without the need for manual credential management.
Q: How can you assume an IAM Role using the AWS SDK for Python (Boto3)?
You can use the assume_role method from the STS client in Boto3.
Example Code:
import boto3
client = boto3.client('sts')
response = client.assume_role(
RoleArn='arn:aws:iam::123456789012:role/ExampleRole',
RoleSessionName='ExampleSession'
)
credentials = response['Credentials']
print(credentials)
Q: What is the MaxSessionDuration of an IAM Role, and how can it be set?
MaxSessionDuration is the maximum duration, in seconds, that a session can be active after assuming the role. It can be set when creating or updating an IAM Role.
Example Code:
aws iam create-role --role-name ExampleRole --assume-role-policy-document file://trust-policy.json --max-session-duration 3600
Q: Can an IAM Role be assumed by an external AWS account? If yes, how?
Yes, an IAM Role can be assumed by an external AWS account by specifying the account ID in the trust policy.
Example Code:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::EXTERNAL_ACCOUNT_ID:root"
},
"Action": "sts:AssumeRole"
}
]
}
Q: How can you revoke permissions from an IAM Role?
Permissions can be revoked from an IAM Role by detaching policies or updating the role's inline policies to remove permissions.
Example Code:
aws iam detach-role-policy --role-name ExampleRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess