Chris Mendez in For Developers, AWS

AWS: Roles vs Groups

Roles and Groups are not hard to understand but I still find myself Googling the nuances. Here's my personal cheat sheet to help jog my memory.

I wrote this in a Q&A format so that I can avoid being overly abstract.

Q & A

What is a Role?

A role is a preset of Policies for your AWS services.

Roles allow you to delegate access with defined permissions to trusted entities (like EC3) without having to share long-term access keys. Source


What is the purpose of a role?

In many ways, a Role is intended to impersonate a user. For example, instead of asking a developer to log into an EC2 instance every hour and invoke a process to S3, you can create a Role and assign it to EC2 to conduct that task on your behalf.


Can I assign users to roles?

No.


Can I assign users to groups?

Yes.


Can I assign policy files to roles and groups?

Yes. You can assign policy files to both users and groups.


Is there any way to get my EC2 to automatically communicate with my S3 bucket?

Yes, use a role. Roles offer you the ability to delegate work to an AWS resource without the need of credentials (Access Key ID + Secret Access Key).


Can I add Roles to running EC2 instances?

Yes but not within the web console. You must use the AWS command line client (for now). Source + Documentation.

Add Role

aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile  

Verify Role

aws ec2 describe-iam-instance-profile-associations  

I want to grant 2 new developers access to my existing EC2 instance. How can I do that?

Use a group.

Create 2 new users and provide them with IAM access credentials. Create a new Group titled "MyDevelopers" and include a Policy File which grants access to your EC2 instance. Add those users to your Group.


Resources