- 最新
- 投票最多
- 评论最多
To your question, IAM roles can be assumed by IAM User and IAM role. Please refer Use IAM Roles for complete list of who can assume roles and method of assuming role.
Additionally refer Temporary credentials request.
Your application can leverage either IAM User or IAM Roles Anywhere for this purpose.
-
With IAM User, IAM user would have access of AssumeRole for that role and you'd make sure that IAM role has all the required permissions to access AWS resources, which your typescript application needs. IAM user would be considered simple but less secure way of doing this as you'll store the access key and secret access key somewhere and can be leaked. If you go with IAM user route, I'd advise you to keep rotating them periodically and use variables for these and store them in a file and that credential file can be read by specific set of users only.
-
IAM Roles Anywhere is relatively new feature and cal also be used in this use case, please refer following two blog posts, which covers the topic and provide guidance, how to set it up:
-
Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere
-
AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS
Hope this explanation helps.
Abhishek
If the application is running outside of AWS, I would then need an IAM user tied to that assumed role correct?
There are two ways, you can do that, one is use IAM user and that IAM user would have assume role permissions for the role that has all the required permissions.
Other one is IAM role anywhere, relatively new feature for same use case. I have added these details to my answer too.
Don't hesitate to ask further questions, happy to help.