AWS – Identity and Access Management ( IAM ) – Switching Roles

Background

To better safe ground the system, it is best not to grant sensitive permissions to user accounts.  And, only grant those permissions to roles.  Users can then be granted membership to the roles.

To perform those sensitive actions, users will have to switch over to the provisioned roles.  Perform the actions. And, revert to their user account.

Administrative Function

The system administrator will have to the following :-

  1. Role
    • Create
      • Create Role
  2. Permissions
    • Grant
      • Grant permissions to Role
  3. Membership
    • Add principals to the Role
  4. Relationship
    • Trust Relationship
      • The role must have a trust relationship with the source profile to allow itself to be assumed.
    • Assume Role
      • Grant Principals permission to assume the role
      • The source profile must have permission to call sts:assume-role against the role

Sample Policies

AWS ( AWS Documentation » AWS Command Line Interface » User Guide » Configuring the AWS CLI » Assuming a Role ) has a good write-up here.

Role – Trust Relationship with User

sts.AssumeRole.20181110.0242PM

User – Permission to Assume Role

sts.AssumeRole.iamUserPermission.20181110.0249PM.PNG

GUI

Outline

  1. Access Switch Role ( Link )
  2. Enter Role’s Information
    • account_id_number–The 12-digit account identifier provided to you by your administrator.
    • role_name–The name of the role that you want to assume.
    • (Optional) text_to_display–The text that you want to appear on the navigation bar in place of your user name when this role is active.
    • Click on the “Switch Role” button
  3. Perform the activities that need the elevated permissions
  4. Revert from role to self

 

Images

Switch Role

role.SwitchRole.20181110.0452PM

Switched Role

role.Switched.20181110.0451PM.PNG

Command Line Interface ( CLI )

Client Preparation

Let us go over what it takes to prepare a client

Outline

  1. Configure Client’s Credential
  2. Configure Role via Profile Registration

Configure Client’s Credential

Upon installing AWS’s Command Line Interface, one needs to register his\her credentials.

This is done via launching a terminal or command console and issuing the register command.

Validate

Please validate whether you have already done so.

One pathway is through looking for the configure file.

Its location is OS Specific:

  1. Windows
    • Syntax :- C:\Users\[username]\.aws\credentials
    • Sample :- C:\Users\dadeniji\.aws\credentials
Syntax

aws configure

Steps

Please fill out the details such as :-

  1. AWS Access Key ID
  2. AWS Secret Access Key
  3. Default Region Name
  4. Default output format
Output

aws.configuration.20181109.1117AM.cleanedup.PNG

Effect

Once done the entries are saved in the credentials file.

  1. OS
    • Windows
      • Syntax :- C:\Users\[username]\.aws\credentials
      • Sample :- C:\Users\dadeniji\.aws\credentials

Configure Role via Profile Registration

Next create \ edit the configure file.

File Location

It’s location is OS Specific:

  1. Windows
    • Syntax :- C:\Users\[username]\.aws\configue
    • Sample :- C:\Users\dadeniji\.aws\configure
Nomenclature
  1. account_id_number
    • The 12-digit account identifier provided to you by your administrator
  2. role_name
    • The name of the role that you want to assume. You can get this from the end of the role’s ARN.
      • If the ARN is arn:aws:iam::403299380220:role/TestRole
        • The role’s name is TestRole
          • As role does not have a path
      • If the ARN is arn:aws:iam::403299380220:role/restaurant/TestRole
        • The role’s name is /restaurant/TestRole
          • As role has a path ( restaurant )
Syntax
[default]

[profile dba]
role_arn = arn:aws:iam::[account-id]:role/[role-name]
source_profile = default
region=[region]

Sample
[default]

[profile dba]
role_arn = arn:aws:iam::0611271771:role/dba
source_profile = default
region=us-west-2

Request

Let us request role processing

Outline

  1. Interactively
  2. Ongoing

Interactive

Overview

We are able to request role switching on each command that needs the designated privileges.

Sample Requests
  1. List IAM Users
    • aws iam list-users –profile adminMarketing
  2. List RDS Instances
    • aws rds describe-db-instances –profile adminMarketing
Actual Request ( as current user )

aws s3 ls

Textual

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

Image

withSwitchRoleRequestedInteractively.20181110.0400PM

Actual Request – Assume Role

aws s3 ls --profile dba

Textual

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Image

withSwitchRoleRequestedInteractively.20181110.0400PM

Textual

Unable to assume role.

Actual Request – Assume Role in debug mode

aws s3 ls --profile dba --debug

Textual

    return self._get_cached_credentials()
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\credentials.py", line 576, in _get_cached_credentials
    response = self._get_credentials()
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\credentials.py", line 698, in _get_credentials
    return client.assume_role(**kwargs)
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\client.py", line 320, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "C:\Program Files\Amazon\AWSCLI\runtime\lib\site-packages\botocore\client.py", line 623, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
2018-11-10 14:31:35,342 - MainThread - awscli.clidriver - DEBUG - Exiting with rc 255

An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
Image

withSwitchRoleRequestedInteractivelyInDebugMode.20181110.0443PM

Textual
  1. Stack Trace that shows the functions called
  2. Return Code ( rc ) is 255

 

Summary

Will have to work with our AWS Administrators and review the permissions we have on the role.

I need to have the ability to assume the role.

Again, the specific areas that need scrutiny are:

  1. The role must have a trust relationship with the source profile to allow itself to be assumed
  2. And, each of us must have permission to call sts:assume-role against the role

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s