Reputation: 1777
What are the benefits of sharing an IAM role instead of a IAM key?
I'm told sharing IAM roles with third parties is more secure than sharing IAM keys. Currently we limit IAM keys with IP filters, many conditions on access control.
Why would sharing IAM roles be better. My understanding is they can use their role to assume privilege for a time limited period from something like the boto3 api. But if they can assume the role without limit, how is there a security benefit over a key?
Upvotes: 0
Views: 424
Answers (2)
Reputation: 156
To grant an external party access to the AWS resources owned by you, you have following options:
- [WORST APPROACH] You create an
IAMuser (say, Foo) and grant it the required permissions and then share the same with the external parties. This is obviously the worst approach as now you have no segregation between who is making calls to your resources because in effect, it is alwaysFoowho is calling you. - You let your clients create
IAMusers in their own accounts and then whitelist them in your resource's policy. This works, given that your resource supports resource-level policies (S3andAPI Gatewaydo). Now, even if they do support resource-level policies, now it is an overhead for you to whitelist all such users created by all your clients, which can access the resource. - You create an
IAMrole, grant it capabilities (in terms ofIAMpolicies) to access your resource and then whitelist your clients'IAMusers toassumethat role. This will be your way of saying that "this role is capable of accessing my resource and if you can assume this role, so do you". Moreover, this also prevents you from sharing the credentials asAWS STSdoes all that work in generating the temporary credentials for you.
Upvotes: 0
Reputation: 36
First, as you mentioned, the short-lived session credentials used by a role limits the time that compromised credentials can be used.
Second, with an IAM user, any time the third party needs to access resources in your account, they must posses the access key and secret key of your IAM user. If they want to access resources from your account from an EC2 instance, they need to have a way to securely push the keys to the EC2 instance. If they want to access resources from a Lambda, they need to make the keys available to the Lambda. If they want to access resources from a mobile device, they need to push the credentials to the mobile device (where they are more difficult to secure, let alone rotate).
Managing these credentials is not only additional work for the third party, but also additional risk for you. The long-lived credentials for your IAM user are now being passed around by a third party.
Using an IAM role instead, you can allow the third party to access resources without passing your credentials around. An EC2 instance can avoid handling your credentials using EC2 instance roles. Lambda, similarly, can avoid handling your credentials by using execution roles. On a mobile device, there is Cognito.
Upvotes: 1
Related Questions
- AWS IAM role principal vs role session principal
- What is the real benefit of AWS IAM permission boundaries?
- AWS IAM Role vs Group
- Is it better to use AWS IAM User Group, or IAM Role for users to assume?
- Understanding IAM Roles
- AWS: To Role or not to Role?
- Why use AWS Access Keys instead of IAM Roles
- IAM - Purpose of role identity in AWS
- IAM role vs User - Best practices
- Is using IAM Roles really more secure than storing encrypted credentials on disk?