I have a role attached to a LaunchConfiguration for an EC2 instance, that gives the EC2 instance privs to do certain things like do Cloudwatch logs (the context isn't important to the question). In Cloudformation the Role looks like:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: 'ec2.amazonaws.com'
Action: 'sts:AssumeRole'
Policies: ...
If I view the Role in AWS console, under "Trust relationships" it says "Trusted entities: The identity provider(s) ec2.amazonaws.com":
I assume the Cloudformation AssumeRolePolicyDocument.Principal.Service
maps to the "Trusted Entity" in the console (which, as an aside, is a strange way to name things, because I read "Principal" as having a different meaning in IAM, but anyway ... ). I'm straining my brain trying to piece together what is going on. My questions are:
- What exactly is an IAM "trusted entity"?
- How is it the entity 'ec2.amazonaws.com' "assumes the role"? The concept of the service 'ec2.amazonaws.com' assuming the roll just doesn't click with me.
- In what sense is the entity 'ec2.amazonaws.com' is "providing identities"?
- Where can I find a full list of these so called trusted entities?
The AssumeRolePolicyDocument specifies who can assume the role. I suspect you can specify multiple entities can assume a role, but in practice I write a role for each service.
You can think of IAM roles similar to roles people have. My role as "architect for company XYZ" give me permissions to enter the office, log into the system, that kind of thing. If I assume a role as say a policeman I have additional rights, such as going into a police station, arresting people, etc.