AWS: allow an assumed role to assume another role

You may occasionally wish to allow an assumed IAM role, such as a role assumed via an EC2 instance profile, to assume another role. This is described in inĀ Switching to an IAM Role (AWS CLI) as “role chaining“. If we wish for role A to be able to assume role B, for example, we must add a statement to the “trust policy” in role B, like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "...",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::000000000000:role/a"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

On the EC2, assumed role A will start out looking something like this:

$ aws sts get-caller-identity
{
    "Account": "000000000000", 
    "UserId": "AROAJQTW5F5O55I5ZXQ24:i-00000000000000000", 
    "Arn": "arn:aws:sts::000000000000:assumed-role/a/i-00000000000000000"
}

Despite the fact that this is an assumed role and looks different from the Principal for role A which we referenced in our trust policy, it will still be allowed to assume role B.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.