amazon-web-servicesamazon-iamfederated-identity

Difference between IAM role and IAM user in AWS


What is the difference between an IAM role and an IAM user? The IAM FAQ has an entry explaining it, but it was vague and not very clear:

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

I think an IAM role is used for federated logins (using an IdP with SAML tokens for example), and they don't have permanent access keys that you can download like regular IAM users have (the "an IAM role doesn't have any credentials" part).

What do they mean when they say an IAM role can't make direct requests to AWS services? I can login to AWS Console (the web console) and create stacks etc, so it can't be that.


Solution

  • To understand the difference, let us go through IAM basic knowledge

    IAM controls: Who (authentication) can do What (authorization) in your AWS account. Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.

    Here the term

    User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.

    Answer the following questions and you will differentiate between a user and a role:

    AWS supports 3 Role Types for different scenarios

    To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/

    https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

    Hope it helps.