TransWikia.com

What is the purpose of AssumeRolePolicyDocument in IAM?

DevOps Asked by Dr. Chocolate on November 18, 2021

I’m confused as to what the purpose of AssumeRolePolicyDocument is.
It seems like to create a role all you need is a parent name that you can attach policies to.

It seems like AssumeRolePolicyDocument is that parent name but somehow there’s more to it.

What is this doing?

"AssumeRolePolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": ["lambda.amazonaws.com"]
            },
            "Action": ["sts:AssumeRole"]
        }
    ]
}

4 Answers

I think it's much clearer when considering the user that creates a role isn't necessarily the one attaching it for use somewhere:

  • AssumeRolePolicyDocument is a restriction placed by the user that creates the role - e.g. possibly an admin. It prevents other users from attaching it to any AWS service / user they like. Also, it tells nothing about where it's actually used. It's a protection on the Role-side (treating Role as a resource that should also be protected).

  • OTOH, actually assigning a role to a service / user, is done by users that actually need now some service to have permissions. And they're allowed to do it only if the Role's AssumeRolePolicyDocument allows it.

Granted, when you're the sole user you might not care much about it. It does, though, add more security and documents (forcibly :) ) how the role is intended to be used.

Answered by yair on November 18, 2021

For anyone who is scratching their head at the naming convention:

AssumeRolePolicyDocument (in CloudFormation yaml) = Trust Relationships (in AWS Console web GUI)

Policies (in CloudFormation yaml) = Permissions (in AWS Console web GUI)

Answered by Tony Sepia on November 18, 2021

The purpose of assume role policy document is to grants an IAM entity permission to assume a role. It is also known as a "role trust policy".

In other words, for given permissions you set, it allow users from certain AWS account to assume this role and access that account.

It is recommended that you update the role trust policy to restrict access to only authorized users, otherwise any AWS account could assume the role and access that account.

By specifying Principal using Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user, you allow or deny access to assume that role (sts:AssumeRole).

Answered by kenorb on November 18, 2021

The purpose of the AssumeRolePolicyDocument is to contain the trust relationship policy that grants an entity permission to assume the role.

In your example it's granting the Lambda service the ability to assume

References

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html

Answered by kenlukas on November 18, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP