Here are some common use cases:
- EC2 instances can be assigned a role that allows them to access S3 buckets without embedding access keys in the instance.
-
EC2 Instances Accessing S3:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::example_bucket/*"
}
]
}
-
Cross-Account Access:
- Allowing a user in one AWS account to access resources in another account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
3. Lambda Functions Accessing RDS:
- Lambda functions can assume roles that allow them to interact with RDS databases.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:*"
],
"Resource": "*"
}
]
}
4. Delegating API Access:
- Granting third-party applications access to AWS resources through an API.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:123456789012:example-api/*"
}
]
}
5. CodeBuild Accessing Secrets Manager:
- CodeBuild projects can access secrets stored in Secrets Manager.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "*"
}
]
}