AWS IAM Trusted entities

Question

In AWS IAM, We can create the roles, roles has set of polices which determines what is allowed if role has been assumed by a service, a user etc..

If I create a role which has trusted entities as "ec2.amazonaws.com", what basically it means, does it mean we can attach that role to ec2 like profile or is it mean we run terraform from that instance by providing assume role from ec2 or it can be using cli, does it works if I run terraform from another account ec2 instance.

If I run terraform from my local by assuming role, what should be given in trusted entities of that role?

Do the answers on stackoverflow.com/q/52013295/2291321 help explain it to you? — ydaetskcoR

Marcin Marcin · Accepted Answer · 2021-03-26T11:24:21

does it mean we can attach that role to ec2 like profile

Yes, only ec2 instances can assume such a role.

is it mean we run terraform from that instance by providing assume role from ec2 or it can be using cli

Yes, when the role will be assumed by an instance, a set of temporary AWS credentials will be generated. The credentials will be available to every application in the instance through metadata.

TF or AWS CLI by default can query the metadata for the credentials.

does it works if I run terraform from another account ec2 instance

No it does not. Different instance will have different metadata and may or may not have role attached. You would have to manually copy credentials form instance1 to instance2, to use them.

If I run terraform from my local by assuming role, what should be given in trusted entities of that role?

Usually it would be your IAM user. There are other possibilities as well.

AWS IAM Trusted entities

2 Answers