Difference between IAM role and IAM user in AWS

amazon-web-services amazon-iam federated-identity
sashoalm picture sashoalm · Sep 13, 2017 · Viewed 24.8k times · Source

What is the difference between an IAM role and an IAM user? The IAM FAQ has an entry explaining it, but it was vague and not very clear:

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

I think an IAM role is used for federated logins (using an IdP with SAML tokens for example), and they don't have permanent access keys that you can download like regular IAM users have (the "an IAM role doesn't have any credentials" part).

What do they mean when they say an IAM role can't make direct requests to AWS services? I can login to AWS Console (the web console) and create stacks etc, so it can't be that.

Answer

Ngoc Nguyen picture Ngoc Nguyen · Jan 10, 2018

To understand the difference, let us go through IAM basic knowledge

IAM controls: Who (authentication) can do What (authorization) in your AWS account. Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.

Here the term

  • User - End user think about people

  • Groups- a set of users under one set of permission(policies)

  • Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be authenticated by AWS or some trusted external system.

User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.

Answer the following question you will differentiate between user and role?

  • Can have a password? Yes-> user, No-> role
  • Can have an access key?Yes-> user, No-> role
  • Can belong to a group? Yes-> user, No -> role
  • Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role

AWS supports 3 Role Types for different scenarios

  • AWS service roles (for example: EC2, Lambda, Redshift,...)
  • Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not.
  • Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active Directory, LDAP.

To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

Hope it helps.

Related questions

How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?

I cd into the directory where all the pem/key files are and run the following: aws iam upload-server-certificate --server-certificate-name certificate_name --certificate-body file://webservercertificate.pem --private-key file://server.key --certificate-chain file://certificate_chain_file.pem I get the following …

Read More
AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

I'm trying to invoke a lambda function from node. var aws = require('aws-sdk'); var lambda = new aws.Lambda({ accessKeyId: 'id', secretAccessKey: 'key', region: 'us-west-2' }); lambda.invoke({ FunctionName: 'test1', Payload: JSON.stringify({ key1: 'Arjun', key2: 'kom', key3: 'ath' }) }, function(…

Read More
Proper access policy for Amazon Elastic Search Cluster

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned …

Read More