In AWS IAM Roles are similar to IAM Users in that they can have policies and permissions attached to them. However, they cannot be authorized (login) and they do not really have the policies etc attached to them. They appear to have them but underneath, those policies flow down the the actual users beneath.
The idea is that Roles will help you to group users together and also that they can help you in temporarily granting a level of access or permission to a user and give you an easy way to revoke that.
What is the use of IAM Role in AWS
You might create an IAM role in AWS if you want to give all users on project x permissions on the objects that are used for that project, Then if a user moves teams, you can take that role of them and assign them another one without disrupting the rest of the team.
This allows you to add permissions for the whole team in one place and have it automatically passed to everyone that needs it.
How to create IAM Role in AWS
It is straightforward to create an IAM role in AWS. Instructions can be found here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
Essentially though, you navigate to the IAM section in the console, choose roles then create role
How to get IAM Role in AWS
You can retrieve the IAM roles in an account from the IAM section of the console under the roles section.
It is also possible to get roles and information on them from the CLI
There are two particularly useful commands
List-roles – this will list the roles in an account based on various options that you can specify.
https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
list-roles
[--path-prefix <value>]
[--max-items <value>]
[--cli-input-json <value>]
[--starting-token <value>]
[--page-size <value>]
[--generate-cli-skeleton <value>]Get-role – This will retrieve more information on a specified role name.
https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html
get-role
--role-name <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]How to create IAM Role in AWS cli
Creating an IAM role in aws via the cli is easy. The command that you will need is create-role.
Detailed information can be found here:
https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html
create-role
[--path <value>]
--role-name <value>
--assume-role-policy-document <value>
[--description <value>]
[--max-session-duration <value>]
[--permissions-boundary <value>]
[--tags <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]How to delete IAM Role in AWS
You can delete a role in AWS using the console and by navigating to the roles section under IAM.
You can also delete IAM roles using the CLI. Doing so is straigt forward but you do need ot make sure that nothing that you need is using that role for access. You can follow the instructions here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html
How to find IAM Role in AWS
Its in the console under IAM and then ROles.
You can do it quickly if you have cli access with the command list-roles:
https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
