AWS IAM: Allowing a Role to Assume Another Role
To allow an IAM Role to assume another Role, we need to modify the trust relationship of the role that is to be assumed. This process varies depending if the roles exist within the same account or if they’re in separate accounts.
Roles in the Same Account
Let’s say we have two roles,
Role_B. If we want to allow
Role_A to assume
Role_B, we need to modify the trust relationship of
Role_B with the following:
This is all that’s needed to allow a role to assume another role within the same account.
Principal element where we specify the role that we want to give permissions to. In general, the
Principal element is used in policies to give users/roles/services access to other AWS resources. However, the
Principal element cannot be used in policies attached to Roles. It can only exist in the trust relationships of roles (you’ll get errors if you try to use the
Principal element in an IAM Role policy).
You can read more about this element in the AWS docs.
Roles in Different Accounts
Role_B are in different accounts. In this case, the process from above stays the same.
Role_B needs to have its trust relationship modified to allow
Role_A to assume it. The difference here is that
Role_A will need an additional policy with
sts:AssumeRole permissions. So the final result is as follows:
Role_B trust relationship stays the same:
Role_A needs the following attached as a policy:
Role_A will be able to assume
Role_B even if they’re in different accounts.