MemberDecember 3, 2023 at 9:28 am
I don’t agree with the answer on the following question:
Even though it is always recommended to use a role for temporary credentials rather than fixed credentials for IAM users, you are omitting a rather crutial piece of information: you never defined whether the auditor has either A)an AWS account on their own or B)using an identity provider already integrated with the target accounts. You cannot assume roles on your own without a principal that actually performs the sts:AssumeRole action.
AdministratorDecember 5, 2023 at 4:00 pm
Thanks for your valuable insight.
Yes, I agree with you. For the usage of IAM roles to make sense, a trust policy with a valid principal representing the auditor (be it an IAM user or federated user) must be established first. Without specifying the auditor’s origin, creating an IAM user with read permissions could be a viable solution as well.
We’ll make sure to clarify and refine the wording to remove any confusion.
Let me know if you have further clarifications.
Carlo @ Tutorials Dojo
Log in to reply.