2

I apply ec2 instance roles to my servers but I want to switch to those roles myself locally first to test permissions

Id tried switching to one but I get an error:

aws sts assume-role --role-arn arn:aws:iam::1234567890:role/myrole --role-session abc

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::1234567890:user/meeee is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234567890:role/myrole

I am an account admin. Do I need to modify the trust policy or something to allow users to assume ec2 instance roles?

red888
  • 4,183
  • 18
  • 64
  • 111

2 Answers2

3

To allow your account to assume the service role you'll need to edit the role and add your account in the Principal. To do so:

In IAM -> Roles -> Your Service Role go to the Trust relationship tab and click on Edit trust relationship. Your trust relationship will something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

You need to add your AWS account similar to this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",
        "AWS": "arn:aws:iam::<your AWS account number>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

You will then be able to get credentials through sts.

Another way to get the desired outcome you're seeking is to use Policy Simulator

In the role's Permissions tab, click the arrow to the left of the policy and it will display a button to Simulate policy:

enter image description here

NOTE

It's not possible to use an IAM Group as a Principal.

Note that a group is not truly an identity because it cannot be identified as a Principal in a resource-based or trust policy. It is only a way to attach policies to multiple users at one time.

References

slm
  • 7,615
  • 16
  • 56
  • 76
kenlukas
  • 3,101
  • 2
  • 16
  • 26
1

You can fetch the credentials from the instance and use it locally with the help of get-instance-credentials script.

  1. Start your instance with the desired EC2 Role

  2. Run get-instance-credentials

    [ec2-user@ip-...] aws-utils $ ./get-instance-credentials
export AWS_ACCESS_KEY_ID="ASIA5G...ERJGI"
export AWS_SECRET_ACCESS_KEY="8rTXu4R1...IM2"
export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEE4aD...4zw=="

  3. Copy and paste the 3 export AWS_* lines to your local shell on your laptop

    me@my-laptop ~ $ export AWS_ACCESS_KEY_ID="ASIA5G...ERJGI"
me@my-laptop ~ $ export AWS_SECRET_ACCESS_KEY="8rTXu4R1...IM2"
me@my-laptop ~ $ export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEE4aD...4zw=="

  4. Verify the credentials

    me@my-laptop ~ $ aws sts get-caller-identity
{
    "UserId": "AROAXYZABC1234:i-0a1b2c3d",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/test-ec2-role/i-0a1b2c3d"
}

As you can see even as me@my-laptop I can now access AWS with the credentials of test-ec2-role.

This way you can easily test the IAM Role configuration, test your apps, etc.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • thats not very convenient as i need to stand up a server to do that. is there any way for a regular user account or another role to assume an instance role directly? – red888 Apr 13 '20 at 23:42
  • 1
    @red888 That’s what kenlukas’ answer describes. My answer shows how to bring the actual creds from the instance to a local shell for testing. At times it comes handy. – MLu Apr 13 '20 at 23:47