Objective
Clear the confusion of what/who is the principal of an action being executed in AWS with assuming an IAM role.
Background
A IAM role has the tab of Trust relationships that defines who can assume the role.
It is described as in JSON.
statement {
sid = "1"
effect = "Allow"
principals {
identifiers = ["elastictranscoder.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
According to Roles Terms and Concepts, those who can assume the role must be either a user or a role.
Principal
An entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role. You can grant permissions to access a resource in one of two ways:Trust policy
A document in JSON format in which you define who is allowed to assume the role. This trusted entity is included in the policy as the principal element in the document.
Question
Who/what is the principal if I issue the assume-role command using my AWS account to get a temporary credential, and then run an action e.g. transcode video files? According to the AWS document, it must be either a user or a role.
- elastictranscoder.amazonaws.com?
- The role that defines the trusted relationship with elastictranscoder.amazonaws.com?
- My user account?
If it is elastictranscoder.amazonaws.com, then:
- Is it this a user or a role?
- From Audit perspective, is elastictranscoder.amazonaws.com recorded as the principal who executed the action? Where can I identify who became elastictranscoder.amazonaws.com when and how?