What is the difference between IAM users vs IAM roles?

238    Asked by ColinPayne in AWS , Asked on May 29, 2024

 I am a cloud administrator for a company that uses AWS for its Infrastructure. Recently there have been several incidents where access management has been inefficient which is leading to both over-privileged users and unnecessary security risk. My question is what is the difference between IAM users and IAM roles in the context of accessing the management? 

Answered by Dominic Poole

In the context of AWS, here are the key differences given:-

IAM USERS

This particular permanent entity with long-term credentials is suitable for ongoing needs. This is a permanent entity that is created to represent an individual or service needs for consistent, long-term access to your AWS resources. The IAM users have the king terms credentials such as the password for AWS management console access and access keys for API, CLI, SDK, and other development tools access. The permissions are directly assigned to the users via policies. These permissions are very persistent and remain until explicitly changed or even revoked. It is very much suitable for users or services that require consistent access to AWS resources. Here is the example given of how you can create the IAM users and attach a policy:-

Import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
Import software.amazon.awssdk.regions.Region;
Import software.amazon.awssdk.services.iam.IamClient;
Import software.amazon.awssdk.services.iam.model.AttachUserPolicyRequest;
Import software.amazon.awssdk.services.iam.model.CreateUserRequest;
Import software.amazon.awssdk.services.iam.model.CreateUserResponse;
Import software.amazon.awssdk.services.iam.model.IamException;
Public class CreateIamUser {
    Public static void main(String[] args) {
        // Create an IamClient instance
        IamClient iamClient = IamClient.builder() .region(Region.AWS_GLOBAL) .credentialsProvider(ProfileCredentialsProvider.create())
                                       .build();
        // Define the user name
        String userName = “JohnDoe”;
        // Create the user
        createUser(iamClient, userName);
        // Attach a policy to the user
        attachPolicy(iamClient, userName);
        // Close the IamClient
        iamClient.close();
    }
    // Create an IAM user
    Public static void createUser(IamClient iamClient, String userName) {
        Try {
            CreateUserRequest request = CreateUserRequest.builder()
                                                         .userName(userName)
                                                         .build();
            CreateUserResponse response = iamClient.createUser(request);
            System.out.println(“Successfully created user: “ + response.user().userName());
        } catch (IamException e)
            System.err.println(e.awsErrorDetails().errorMessage())
            System.exit(1);L
        }
    }
    // Attach a policy to the user
    Public static void attachPolicy(IamClient iamClient, String userName) {
        Try {
            AttachUserPolicyRequest request = AttachUserPolicyRequest.builder() .userName(userName)
                                                                     .policyArn(“arn:aws:iam::aws:policy/AmazonS3FullAccess”)
                                                                  .build();
            iamClient.attachUserPolicy(request);
            System.out.println(“Successfully attached policy to user: “ + userName);
        } catch (IamException e) {
            System.err.println(e.awsErrorDetails().errorMessage());
            System.exit(1);
        }
    }
}


Your Answer

Interviews

Parent Categories