4

Below is the SAM template,

Resources:
  HelloWorldFunction:
    Type: AWS::Serverless::Function 
Properties:
  CodeUri: hello-world/
  Handler: app.LambdaHandler
  Runtime: nodejs8.10
  Policies:
  - AWSLambdaExecute

for which, below is role(JSON) created for Lambda function:

{
  "roleName": "somestack-HelloWorldFunctionRole-AAAAAAAA",
  "policies": [
    {...}, # AWSLambdaExecute
    {...}, # AWSLambdaSQSQueueExecutionRole
    {....} # AWSLambdaBasicExecutionRole
  ],
  "trustedEntities": [
    "lambda.amazonaws.com"
  ]
}

What is trustedEntities in this JSON?

overexchange
  • 15,768
  • 30
  • 152
  • 347

1 Answers1

4

Trusted entities is a set of entities which can assume this role. If you are creating the function via SAM, trust relationship between the role created by SAM and Lambda service in your account will be automatically created, which in turn means that your Lambda function can assume this role.

If you want to assign this role to EC2 instance, you will not be able to because your role doesn't trust EC2 service by default. You would need to modify trust relationship and include EC2 service. Like this:

"trustedEntities": [
    "lambda.amazonaws.com",
    "ec2.amazonaws.com"
  ]

This is also useful if you want to create a role that can be assumed across accounts, you can specify other account as a trusted entity so that the other account(s) will be able to assume the role.

And if trustedEntities list is empty, nobody is able to assume the role.

Matus Dubrava
  • 13,637
  • 2
  • 38
  • 54
  • Who all(`Principal`) can come in `trustedEntities`? Today I saw an example of an account(`1111-2222-3333`) to be a trusted entity... with a role. I already know that *IAM user* & *AWS resources* can assume role. – overexchange Jul 23 '19 at 15:51
  • Trusted entities can be any of these: AWS service, AWS Account, SAML 2.0 compliant IDP and OIDC compliant IDP. IAM users can't assume roles by default even if they have appropriate permissions given by IAM policy because there is no default trust between role and IAM user. If you want to allow IAM users to assume role, you need to specify trust between the role and IAM account (either the same account in which the role is created or a different account for cross-accout access). – Matus Dubrava Jul 23 '19 at 17:00
  • If you see this [diagram](https://www.youtube.com/watch?v=pmemtFjlApQ&t=1171s), it shows that role is being assumed by *IAM user* or *AWS resource*. I think, *AWS resource* is nothing but *AWS service* in his diagram. But am not sure, why he has shown *IAM user*? – overexchange Jul 23 '19 at 17:24
  • The diagram is correct. IAM user can assume role but first you need to establish trust relationship between role and AWS account. After that, users from that account can assume role if they have sufficient permissions - `sts:AssumeRole`. Note that the diagram only shows how `sts:AssumeRole` works but there are other API calls that you can use to assume role `sts:AssumeRoleWithWebidentity` if you have OIDC IDP and `sts:AssumeRoleWithSAML` if you have SAML 2.0 IDP. – Matus Dubrava Jul 23 '19 at 19:42
  • Also note that there are some other API calls that can help you with authorization such as `sts:GetSessionToken` and `sts:GetFederationToken` which you can use if you need to enforce MFA or if you need to authenticate users against some LDAP but you don't have SAML 2.0 IDP. – Matus Dubrava Jul 23 '19 at 19:44