How can switch to an EC2 instance role locally as a user?
I apply ec2 instance roles to my servers but I want to switch to those roles myself locally first to test permissions
Id tried switching to one but I get an error:
aws sts assume-role --role-arn arn:aws:iam::1234567890:role/myrole --role-session abc
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::1234567890:user/meeee is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::1234567890:role/myrole
I am an account admin. Do I need to modify the trust policy or something to allow users to assume ec2 instance roles?
To allow your account to assume the service role you'll need to edit the role and add your account in the Principal
. To do so:
In IAM
-> Roles
-> Your Service Role
go to the Trust relationship
tab and click on Edit trust relationship
. Your trust relationship will something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
You need to add your AWS account similar to this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::<your AWS account number>:root"
},
"Action": "sts:AssumeRole"
}
]
}
You will then be able to get credentials through sts
.
Another way to get the desired outcome you're seeking is to use Policy Simulator
In the role's Permissions
tab, click the arrow to the left of the policy and it will display a button to Simulate policy
:
NOTE
It's not possible to use an IAM Group as a Principal
.
Note that a group is not truly an identity because it cannot be identified as a Principal in a resource-based or trust policy. It is only a way to attach policies to multiple users at one time.
References
- Access Policies Testing
- Modifying a Role (Console)
- IAM User Guide
You can fetch the credentials from the instance and use it locally with the help of get-instance-credentials script.
- Start your instance with the desired EC2 Role
-
Run
get-instance-credentials
[ec2-user@ip-...] aws-utils $ ./get-instance-credentials export AWS_ACCESS_KEY_ID="ASIA5G...ERJGI" export AWS_SECRET_ACCESS_KEY="8rTXu4R1...IM2" export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEE4aD...4zw=="
-
Copy and paste the 3
export AWS_*
lines to your local shell on your laptopme@my-laptop ~ $ export AWS_ACCESS_KEY_ID="ASIA5G...ERJGI" me@my-laptop ~ $ export AWS_SECRET_ACCESS_KEY="8rTXu4R1...IM2" me@my-laptop ~ $ export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjEE4aD...4zw=="
-
Verify the credentials
me@my-laptop ~ $ aws sts get-caller-identity { "UserId": "AROAXYZABC1234:i-0a1b2c3d", "Account": "123456789012", "Arn": "arn:aws:sts::123456789012:assumed-role/test-ec2-role/i-0a1b2c3d" }
As you can see even as me@my-laptop I can now access AWS with the credentials of test-ec2-role.
This way you can easily test the IAM Role configuration, test your apps, etc.
Hope that helps :)