Search code examples
amazon-web-servicesamazon-iamfederated-identity

Difference between IAM role and IAM user in AWS


What is the difference between an IAM role and an IAM user? The IAM FAQ has an entry explaining it, but it was vague and not very clear:

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

I think an IAM role is used for federated logins (using an IdP with SAML tokens for example), and they don't have permanent access keys that you can download like regular IAM users have (the "an IAM role doesn't have any credentials" part).

What do they mean when they say an IAM role can't make direct requests to AWS services? I can login to AWS Console (the web console) and create stacks etc, so it can't be that.


Solution

  • To understand the difference, let us go through IAM basic knowledge

    IAM controls: Who (authentication) can do What (authorization) in your AWS account. Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.

    Here the term

    • User - End user think about people

    • Groups- a set of users under one set of permission(policies)

    • Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be authenticated by AWS or some trusted external system.

    User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.

    Answer the following questions and you will differentiate between a user and a role:

    • Can have a password? Yes-> user, No-> role
    • Can have an access key? Yes-> user, No-> role
    • Can belong to a group? Yes-> user, No -> role
    • Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role

    AWS supports 3 Role Types for different scenarios

    • AWS service roles (for example: EC2, Lambda, Redshift,...)
    • Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not.
    • Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active Directory, LDAP.

    To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

    Hope it helps.