Is <service>.amazonaws.com a user or a role?

Question

Question

What is the .amazonaws.com such as elastictranscoder.amazonaws.com?

statement {
  sid    = "1"
  effect = "Allow"

  principals {
    identifiers = ["elastictranscoder.amazonaws.com"]
    type        = "Service"
  }
  actions = ["sts:AssumeRole"]
}

According to Roles Terms and Concepts, it should be either IAM user or a role. I wonder which one it is.

Principal
An entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role.

Trust policy
A document in JSON format in which you define who is allowed to assume the role. This trusted entity is included in the policy as the principal element in the document.

Michael - sqlbot Michael - sqlbot · Accepted Answer · 2018-08-19T14:29:44

It's neither. That definition is incomplete.

It's an AWS Service (type = "Service").

Use the Principal element to specify the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource. (emphasis added)

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Is <service>.amazonaws.com a user or a role?

Question

1 Answers