AWS IAM Role
- An IAM role is an IAM entity that defines a set of permissions for making AWS service requests.
- IAM roles are not associated with a specific user or group.
- IAM roles is used when a AWS service want to communicatye to another services.
- IAM roles provide temporary credentials and aren’t associated with a specific person or thing.
- A role doesn’t have standard long-term credentials, such as a password or access keys, associated with it.
- IAM role works by calling the AWS Security Token Service (STS) AssumeRole APIs and these APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.
- IAM roles are free of charge.
- We can create 1000 IAM roles under your AWS account. If you need more roles, submit the IAM limit increase request form with your use case.
AWS supports 3 Role Types for different scenarios
- AWS service roles (for example: EC2, Lambda, Redshift,CloudFormation etc)
- Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not.
- Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: — Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect — SAML 2.0 identity such as Active Directory, LDAP.