Great work Rahul! Assume Role: Allow entities in other AWS accounts belonging to you or a 3rd party to perform actions in the this account. Best practice when a third party will assume this role.
What is the difference? Normally you would attach policies in the iam user and now you are saying assumerole. How is this beneficial? People keep saying temporary credentials but no proper example. Take a usecase like onprem Jenkins deploying code to ec2 instance or webapi calling lambda.
@@amitkhamkar2943yea you definitely have to have policies attached to your role to grant permissions for your user to use things like ec2 instance or buckets or whatever
hi Rahul,these tutorials helped me a lot ,please make a dedicated video on control Tower as its trending right now and we also got a project to migrate the existing accounts to control tower,you video will help me a lot,thanks in advance
Thanks for such nice video, also when we create a Iam role. In that we can edit the trust relationship and add multiple user's arn in list. Which will be more easy to give the assume role permission to multiple users at once.
Too good, I was looking for this only and didn't get understand by other wiki or channels. But the way you explained too good sir. Please explain assume role using Terraform. Please let me know if you will do so I will join this channel. Thanks once again
Excellent tutorial. Thanks for the detailed explanation. However, we can add that it's not just users who can assume on a role, we also have aws services, applications etc.
Role is a container for a set of policies, and can be thought of as a phantom user. When you assumeRole, you become that phantom user to gain access to several different policies at once.
Excellent explanation, though I am a bit confused, rather might I say, trying to understand what would be the best case, real time scenario where STS: Assume Role can be implemented?
Hey Rahul, For a small organization setup, no need to have 2 separate policies (resource policy & Trust Policy) We can give resource ARN (of who needs to assume this role) in the role trust relationship tab itself like below. Please share your comments.. In your video though & by default, Principal is AWS account. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::XXX:user/test-user" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
if you can attach policy to user or a group why user has to go through steps to assume roles? Is it to provide temporary access only? How to control the temporary access? Please discuss the use cases.
Content is good but the example given here is slightly confusing. In this example, you have created a user which inline policy calls the role. It is policy attached to the Role where the actual instructions are given to grant the access to the S3. Although this has worked but it is complex use. On the other hand the same can be achieved without uaing Role also. Here is how: Go to user & inline policy in it. In this policy you mark "Effect: Allow" , "Action:s3.*", "Resource:*" Thats it. Your user can now able to access the S3. No need to assume any Role or switch the URL etc.
Above is the example of inline policy. You can also attach the AWS managed policy. E.g. in the same example above, when click on add permissions select "Add permissions" instead of "Create inline policy" Select radio button "Attach policy directly". A list of policies appears. Select "AmazonS3FullAccess" from the list and save it. That's it. Your test user can now access the S3 services
@mangeshkhandale6435 I think you are confused i am not solving the problem on accessing the s3 bucket but instead how to access s3 bucket owned by the other account via assume role. Otherwise why would aws have the concept of assume role
Yes. I got it. What I was trying to say is , technically both approaches work. I'm not able to understand what is the benifit of assuming roles by IAM user. In the example you given I don't see any benifit. But definitely there must be some use cases. I'm not a pro in AWS. But I can see from vedios you have good knowledge here. May be you can create a vedio on use case where IAM user assume role instead of permissions from inline policies.
Thanks. 1) Roles can have Policies but here Policy was referring Roles (role arn). 2) To achieve this need, user-id can be directly added S3-Full-Access policy also right?
Part 1 is only focused on creating IAm role and user. But this part is more focused on how to assume the IAM role. Both the parts will look same in the beginning but there is big difference when you reach towards the end.
Why to use that sign in link of the IAM role again after we created a inline-policy for the IAM user(test-user) where we have given the action to assume the IAM role(S3-Full-access-role). what's the significance of inline-policy then?
Why we need aws role if we already have IAM policies.... root account can attache s3 policy for test user or if the test user is the root user than it have already all access....
Yes you are right but here I am trying to explain the assume by simulating the root user, test user and IAM roles otherwise how would explain the assume role scenario. I could easily solve the whole scenario by assigning correct IAM role to test user but that is not the case
@@RahulWagh sir then if we are creating policies and using them directly to our users and services why there is a need of roles ? Please differentiate and help me understand
I ain't able to switch accounts in the test account.. "Invalid information in one or more fields Check your information or contact your administrator." This is what it threw..can you help me out?
I was invited to entry a organization company in AWS, create my account, accept the invitation. But when i log in i dont see any service of the organization, just of my own account. How can i switch to see the services of the company?
What udemy couldn't explain to me better this guy did it in less than twenty minutes.
Thanks for the comment
This was a great tutorial. I now understand how to assume roles better. Thank you
You're very welcome!
Great work Rahul! Assume Role: Allow entities in other AWS accounts belonging to you or a 3rd party to perform actions in the this account. Best practice when a third party will assume this role.
Glad it was helpful
Really liked the way you have explained the topic with hands-on and very crisp description .Thank you
Thank you Rahul! Great content! It really helped me a lot, I have gone through your Terraform videos also. I wish you good luck and keep educating us.
Glad it helped
its a tricky concept , but you explained it very easily . Appreciate your great work and good luck
Glad to know I hope you enjoyed
@@RahulWagh i further tried to imply the same concept to a user group , it worked like a charm , thanks again
@ManojKumar-fb9zc glad to know it worked for you😊. It is always focus on concept rather then easy fix
What is the difference? Normally you would attach policies in the iam user and now you are saying assumerole. How is this beneficial? People keep saying temporary credentials but no proper example. Take a usecase like onprem Jenkins deploying code to ec2 instance or webapi calling lambda.
Role is for the service and policy is for the user
@@rahulsingh-iq4gdappreciate a real answer dude!
@@comosaycomosah don't we attach policy to the role as well?
@@amitkhamkar2943yea you definitely have to have policies attached to your role to grant permissions for your user to use things like ec2 instance or buckets or whatever
@AdarshKumar-dk6sk very underrated comment
hi Rahul,these tutorials helped me a lot ,please make a dedicated video on control Tower as its trending right now and we also got a project to migrate the existing accounts to control tower,you video will help me a lot,thanks in advance
Thanks for such nice video, also when we create a Iam role. In that we can edit the trust relationship and add multiple user's arn in list. Which will be more easy to give the assume role permission to multiple users at once.
this is best explanation to create assume roles
Too good, I was looking for this only and didn't get understand by other wiki or channels. But the way you explained too good sir. Please explain assume role using Terraform.
Please let me know if you will do so I will join this channel. Thanks once again
Thanks and welcome
Excellent tutorial. Thanks for the detailed explanation.
However, we can add that it's not just users who can assume on a role, we also have aws services, applications etc.
It’s 100% true not only users other can also assume the roles
very well explained Role concept
You are welcome
Explanation was good!! But if this was explained with why its required then would have made more sense!! I need to search for the why now.. :)
Thank you Sir. Please keep uploading these. ❣
Cheers
Super Brother nice and calm explanation.
Glad to hear that
Great explanation sir....make some videos on small projects sir... that was helpful for us...THANK YOU
Soon you will see
useful thanks this was a great tutorial for understand how to assume roles
You're very welcome!
perfect tutorial for assume role...thanks!!!
Very well explained. Thank you
You are welcome
Really nice content.
Sir you have a soothing voice.
So nice of you
I am aws solution architect professional certified, still refreshing my knowledge seeing ur videos😂
Glad to hear that
Nice explanation!
Glad it was helpful!
Role is a container for a set of policies, and can be thought of as a phantom user. When you assumeRole, you become that phantom user to gain access to several different policies at once.
Excellent explanation, though I am a bit confused, rather might I say, trying to understand what would be the best case, real time scenario where STS: Assume Role can be implemented?
Hey Rahul,
For a small organization setup, no need to have 2 separate policies (resource policy & Trust Policy)
We can give resource ARN (of who needs to assume this role) in the role trust relationship tab itself like below.
Please share your comments..
In your video though & by default, Principal is AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXX:user/test-user"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Excellent. It answered a critical question fir me, around the type of role. I find the account definition to be a bit misdirecting.
Awesome.... was searching this content. Thank You
Glad it was helpful!
You're the best 👍 💯 ♠
You are welcome
VERY GOOD SIR
Keep watching
You are the best.
Thanks for stopping by on my channel keep following for more similar content
very informative
You are welcome
Thank you for the tutorial ! :)
You're welcome 😊
if you can attach policy to user or a group why user has to go through steps to assume roles? Is it to provide temporary access only? How to control the temporary access? Please discuss the use cases.
This is awesome 🎉
Glad it helped
Why do need role when we can achieve the same thing by attaching a policy to the user?
Hi Rahul,
Nice tutorial, How we can transfer data between Amazon S3 buckets using AWS Transfer Family
Content is good but the example given here is slightly confusing.
In this example, you have created a user which inline policy calls the role. It is policy attached to the Role where the actual instructions are given to grant the access to the S3.
Although this has worked but it is complex use.
On the other hand the same can be achieved without uaing Role also. Here is how:
Go to user & inline policy in it. In this policy you mark "Effect: Allow" , "Action:s3.*", "Resource:*"
Thats it.
Your user can now able to access the S3. No need to assume any Role or switch the URL etc.
Above is the example of inline policy. You can also attach the AWS managed policy.
E.g. in the same example above, when click on add permissions select "Add permissions" instead of "Create inline policy"
Select radio button "Attach policy directly". A list of policies appears. Select "AmazonS3FullAccess" from the list and save it.
That's it. Your test user can now access the S3 services
@mangeshkhandale6435 I think you are confused i am not solving the problem on accessing the s3 bucket but instead how to access s3 bucket owned by the other account via assume role.
Otherwise why would aws have the concept of assume role
Yes. I got it.
What I was trying to say is , technically both approaches work.
I'm not able to understand what is the benifit of assuming roles by IAM user. In the example you given I don't see any benifit.
But definitely there must be some use cases. I'm not a pro in AWS.
But I can see from vedios you have good knowledge here. May be you can create a vedio on use case where IAM user assume role instead of permissions from inline policies.
It will be great if you can add in how to perform these in the CLI.
But why do not you use the Terraform so that you have infrastructure as a code
@@RahulWagh All the infra is already provisioned except the instance. So I just need a simple CLI command to run the instance.
hello , do you have any videos explaining injectedidentity concept for provider configs
Thanks. 1) Roles can have Policies but here Policy was referring Roles (role arn). 2) To achieve this need, user-id can be directly added S3-Full-Access policy also right?
Really Awesome... :)
Rahul, please what is the difference between this and the Part 1 video. For me it looks the same, but this one is a long process
Part 1 is only focused on creating IAm role and user.
But this part is more focused on how to assume the IAM role.
Both the parts will look same in the beginning but there is big difference when you reach towards the end.
Alright, thank you@@RahulWagh
Why to use that sign in link of the IAM role again after we created a inline-policy for the IAM user(test-user) where we have given the action to assume the IAM role(S3-Full-access-role). what's the significance of inline-policy then?
how to use this role using sdk in java?
Sir, What is the difference between root user and management account?
Thank you.
You're welcome!
can we attache policy directly to IMA User without role
I hope you have something on cloudformation
It is in my pipeline you would see those coming soon in upcoming weeks
Why we need aws role if we already have IAM policies.... root account can attache s3 policy for test user or if the test user is the root user than it have already all access....
Yes you are right but here I am trying to explain the assume by simulating the root user, test user and IAM roles otherwise how would explain the assume role scenario.
I could easily solve the whole scenario by assigning correct IAM role to test user but that is not the case
nice once can you create s3 cross region with 2 account
I will try
Sir a doubt, that means roles can be assumed for a single time or upto a time limit but policies will be permanent? Is my understanding right ?
Roles can be assumed when ever we need there is no time limit
@@RahulWagh sir then if we are creating policies and using them directly to our users and services why there is a need of roles ? Please differentiate and help me understand
I ain't able to switch accounts in the test account..
"Invalid information in one or more fields
Check your information or contact your administrator."
This is what it threw..can you help me out?
Try this policy at Roles trust relationship tab instead of giving policy at user end
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXX:user/test-user"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
@@RajeeshCr2006 Thankyou
I was invited to entry a organization company in AWS, create my account, accept the invitation. But when i log in i dont see any service of the organization, just of my own account. How can i switch to see the services of the company?
I think still you don't have any permissions to access
Thanks
Welcome
😢help here, root user can't create user because no identity based policy
could you please put Video to deploy databricks14 day free trail in AWS , it will be more useful to me and also Subscribers , Thank you.
We will try
amazing. thank you so much :)
You are welcome