2
votes

Objective

Clear the confusion of what/who is the principal of an action being executed in AWS with assuming an IAM role.

Background

A IAM role has the tab of Trust relationships that defines who can assume the role.

enter image description here

It is described as in JSON.

statement {
  sid    = "1"
  effect = "Allow"

  principals {
    identifiers = ["elastictranscoder.amazonaws.com"]
    type        = "Service"
  }
  actions = ["sts:AssumeRole"]
}

According to Roles Terms and Concepts, those who can assume the role must be either a user or a role.

Principal
An entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role. You can grant permissions to access a resource in one of two ways:

Trust policy
A document in JSON format in which you define who is allowed to assume the role. This trusted entity is included in the policy as the principal element in the document.

Question

Who/what is the principal if I issue the assume-role command using my AWS account to get a temporary credential, and then run an action e.g. transcode video files? According to the AWS document, it must be either a user or a role.

  1. elastictranscoder.amazonaws.com?
  2. The role that defines the trusted relationship with elastictranscoder.amazonaws.com?
  3. My user account?

If it is elastictranscoder.amazonaws.com, then:

  1. Is it this a user or a role?
  2. From Audit perspective, is elastictranscoder.amazonaws.com recorded as the principal who executed the action? Where can I identify who became elastictranscoder.amazonaws.com when and how?
2

2 Answers

5
votes

AWS IAM can be thought as an abstraction over 3 things:

  1. Identity (Role, User, User group)
  2. Policy (Identity based policy, resource based policy)
  3. Resource (AWS resources).

A json is composed of elements and 'Principal' is one of the json element in the 'Policy' json document. Principal elements are only present in resource based policy jsons.

Principal abstraction is at the same abstraction level as Identity abstraction. It extends Identity abstraction and is identified by a granular identity i.e. Amazon Resource Name (ARN).It is used only with resource based policy.

Principal elements are used to specify entities like AWS account, AWS services, IAM role, IAM user, federated user and the actions elements specify what operation principals can perform.

AFAIK, In your context, When you issue the assume-role command using my AWS account to get a temporary credential, there is no Prinicipal involved sine there is no resource policy involved it is just identity based policy which gives your IAM role to assume role.

0
votes

When you issue AssumeRole API via CLI or other means, the principal is the identity whose credentials are being used. For example, if you are assuming a role using IAM user's credentials, the principal is the IAM user.

You receive temporary credentials as a result of successful AssumeRole API and when you perform any action using these temporary credentials, the principal will be the IAM role.

In your example, you are trusting the "elastictranscoder.amazonaws.com" i.e. Elastic Transcoder service itself. You can audit how the service is using the role in CloudTrail logs.