Use cases for IAM roles
Roles are designed to provide temporary access to AWS resources, ensuring that permissions are only granted when needed and for the duration they are required. Here are some common scenarios where roles are invaluable:
- Cross-account access: Roles are invaluable when working with multiple AWS accounts. Instead of creating duplicate IAM users in each account, you can define roles in the target account and allow identities from the source account to assume them.
- Applications in and beyond the AWS cloud: For AWS services such as EC2 or Lambda, roles provide a secure way to grant permissions to AWS resources without embedding long-term credentials. For instance, an EC2 instance can assume a role to access S3 buckets without needing to store access keys on the instance. Extending this capability, IAM Roles Anywhere allows for the secure assumption of IAM roles outside of AWS.
- Service-linked roles for AWS services: They allow AWS services to perform actions on your behalf in your AWS account. These roles are usually pre-defined by AWS and include all the permissions the service needs to call other AWS services on your behalf, simplifying setup and providing a secure way to manage permissions for services that need to access resources in your account.
- Identity federation: For organizations using an identity provider (IdP) outside of AWS, roles offer a way to grant AWS access to external identities. After authenticating with the IdP, users receive a token or an assertion that they can exchange for temporary AWS credentials by assuming a role.
- Temporary elevated access: In situations where a user needs temporary access to additional resources, roles can be used to grant these permissions without altering the user’s original permissions.