{"id":432,"date":"2019-01-31T17:26:19","date_gmt":"2019-01-31T23:26:19","guid":{"rendered":"https:\/\/sha.nnoncarey.com\/blog\/?p=432"},"modified":"2019-01-31T17:26:19","modified_gmt":"2019-01-31T23:26:19","slug":"aws-allow-an-assumed-role-to-assume-another-role","status":"publish","type":"post","link":"https:\/\/sha.nnoncarey.com\/blog\/archives\/432","title":{"rendered":"AWS: allow an assumed role to assume another role"},"content":{"rendered":"

You may occasionally wish to allow an assumed IAM role, such as a role assumed via an EC2 instance profile, to assume another role. This is described in in\u00c2\u00a0Switching to an IAM Role (AWS CLI)<\/a> as “role chaining<\/a>“. If we wish for role A to be able to assume role B, for example, we must add a statement to the “trust policy” in role B, like this:<\/p>\n\n

\n{\n  "Version": "2012-10-17",\n  "Statement": [\n    {\n      "Sid": "...",\n      "Effect": "Allow",\n      "Principal": {\n        "AWS": "arn:aws:iam::000000000000:role\/a"\n      },\n      "Action": "sts:AssumeRole"\n    }\n  ]\n}\n<\/pre><\/div>\n\n\n
On the EC2, assumed role A will start out looking something like this:<\/p>\n\n\n
\n$ aws sts get-caller-identity\n{\n    "Account": "000000000000", \n    "UserId": "AROAJQTW5F5O55I5ZXQ24:i-00000000000000000", \n    "Arn": "arn:aws:sts::000000000000:assumed-role\/a\/i-00000000000000000"\n}\n<\/pre><\/div>\n\n\n
Despite the fact that this is an assumed role and looks different from the Principal for role A which we referenced in our trust policy, it will still be allowed to assume role B.<\/p>\n","protected":false},"excerpt":{"rendered":"
You may occasionally wish to allow an assumed IAM role, such as a role assumed via an EC2 instance profile, to assume another role. This is described in in\u00c2\u00a0Switching to an IAM Role (AWS CLI) as “role chaining“. If we wish for role A to be able to assume role B, for example, we must … Continue reading “AWS: allow an assumed role to assume another role”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-432","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/posts\/432","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/comments?post=432"}],"version-history":[{"count":1,"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/posts\/432\/revisions"}],"predecessor-version":[{"id":433,"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/posts\/432\/revisions\/433"}],"wp:attachment":[{"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/media?parent=432"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/categories?post=432"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sha.nnoncarey.com\/blog\/wp-json\/wp\/v2\/tags?post=432"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}