What are roles in IAM?

0
votes

I am curious how roles are working in general and specificaly in ECS with Task Roles. So as I read from the docs roles are using Temporary Security Credentials to authenticate in AWS and then authorize using it's (role's) permissions and then make some actions with API. Right? But I also read from docs that every principal (let's say my ECS container agent on my EC2 instance or task that is managed by it) must be authenticated using some identity.

Does that mean that role is an identity and principal that can somehow authenitcate into AWS and allow my tasks to make API calls?

If so then how my tasks will be able to make API calls when Temporary Security Credentials limited lifetime will expire? They use roles, roles use TSC, TSC has limited lifetime - tasks have limited time to make API calls, right?

1
amazon-web-servicesamazon-iamamazon-ecs

1 Answers

1
votes

There would seem to be an infinite regression, here, but there isn't, because the EC2 service itself (not your instance -- the AWS infrastructure) is a principal.

Because that principal is listed in the IAM role trust policy (thus allowing it to call AssumeRole), EC2 can make the initial request to STS for temporary instance role credentials, which it then makes available to code running on the instance, via an internal HTTP endpoint on a 169.254.x.x unroutable address that is only accessible to the instance. Task credentials use a similar mechanism to instance role credentials, bootstrapped by the service itself and accessed using HTTP... so the first principle in the trust chain in either case is a "hidden" player that you don't manage (and for whom you don't manage any credentials, and for whom nothing is stored on the instances).

You can observe these things happening in the background as described, by using AWS CloudTrail to log IAM and STS events.

Each set of temporary credentials obtained has a finite lifetime, but each time the credentials are fetched, a fresh set of credentials is provided with a new, later expiration time (or the previous credential set is returned if it still has substantial life left). The SDKs automatically handle this updating, so task lifetime can be far longer than credential lifetime, because fresh temporary credentials are always available.

All your code has to do is ask for the temporary credentials, which are accessible without further authentication by virtue of where the code itself is actually running (the specific container/instance).