1
00:00:00,120 --> 00:00:02,140
‫So, here is another feature we've been

2
00:00:02,140 --> 00:00:03,890
‫using in IAM without really knowing it,

3
00:00:03,890 --> 00:00:06,690
‫but it is crucial to understanding AWS.

4
00:00:06,690 --> 00:00:09,462
‫So when we configured many AWS services,

5
00:00:09,462 --> 00:00:11,850
‫we gave them IAM roles

6
00:00:11,850 --> 00:00:13,810
‫and for this the keywords that we passed

7
00:00:13,810 --> 00:00:14,820
‫IAM roles to them.

8
00:00:14,820 --> 00:00:17,760
‫And this was done, usually, when we set up a service

9
00:00:17,760 --> 00:00:18,730
‫the first time.

10
00:00:18,730 --> 00:00:20,360
‫So then the service, once it

11
00:00:20,360 --> 00:00:22,540
‫has an IAM role, it can assume the role

12
00:00:22,540 --> 00:00:24,270
‫and perform the actions it needs.

13
00:00:24,270 --> 00:00:27,810
‫So when we pass a role to another service,

14
00:00:27,810 --> 00:00:30,330
‫well, for example, when we created an EC2

15
00:00:30,330 --> 00:00:32,425
‫instance role and assigned it to the EC2

16
00:00:32,425 --> 00:00:35,450
‫instance we actually passed that role.

17
00:00:35,450 --> 00:00:37,170
‫Or to a Lambda function where we created an

18
00:00:37,170 --> 00:00:39,000
‫IAM role and then we passed it to learn

19
00:00:39,000 --> 00:00:40,170
‫the function so that it could, for

20
00:00:40,170 --> 00:00:43,640
‫example, call Amazon S3 or an ECS task

21
00:00:43,640 --> 00:00:46,190
‫or when we passed a role to CodePipeline,

22
00:00:46,190 --> 00:00:48,750
‫to allow it to invoke other services.

23
00:00:48,750 --> 00:00:49,860
‫So all in all,

24
00:00:49,860 --> 00:00:51,860
‫when we want to pass a role

25
00:00:51,860 --> 00:00:53,943
‫to another AWS service we need the IAM

26
00:00:53,943 --> 00:00:57,130
‫permission called iam:PassRole

27
00:00:57,130 --> 00:00:59,930
‫and often this comes with another permission

28
00:00:59,930 --> 00:01:03,460
‫called iam:GetRole to view the role being passed.

29
00:01:03,460 --> 00:01:05,170
‫So the key here, though, is

30
00:01:05,170 --> 00:01:07,220
‫that to pass a role to another service

31
00:01:07,220 --> 00:01:09,700
‫you need the IAM pass for all permission.

32
00:01:09,700 --> 00:01:12,410
‫So concretely what does an IAM policy look like?

33
00:01:12,410 --> 00:01:13,710
‫Well, it looks like this.

34
00:01:13,710 --> 00:01:16,420
‫So this IAM policy, if it was assigned to me,

35
00:01:16,420 --> 00:01:18,560
‫allows me to do anything I want on EC2

36
00:01:18,560 --> 00:01:22,360
‫such as creating instances, terminating them etc. etc.,

37
00:01:22,360 --> 00:01:24,080
‫but the second part of the statement

38
00:01:24,080 --> 00:01:25,920
‫allows me to pass a role,

39
00:01:25,920 --> 00:01:28,550
‫and that role is called S3Access.

40
00:01:28,550 --> 00:01:30,630
‫So that means that the only role I can assign

41
00:01:30,630 --> 00:01:35,040
‫onto my EC2 instances is this one S3 access role.

42
00:01:35,040 --> 00:01:36,910
‫And so for this I need the action

43
00:01:36,910 --> 00:01:38,950
‫iam:PassRole to do it.

44
00:01:38,950 --> 00:01:39,920
‫So the question is,

45
00:01:39,920 --> 00:01:42,170
‫can any role be passed to any service?

46
00:01:42,170 --> 00:01:43,410
‫And the answer is no.

47
00:01:43,410 --> 00:01:44,920
‫Roles can only be passed to the

48
00:01:44,920 --> 00:01:47,820
‫services based on what their trust allows,

49
00:01:47,820 --> 00:01:49,780
‫and so a trust policy for a role

50
00:01:49,780 --> 00:01:52,990
‫is an indication to say to which service

51
00:01:52,990 --> 00:01:54,160
‫can assume that role.

52
00:01:54,160 --> 00:01:56,560
‫So here is a normal IAM role,

53
00:01:56,560 --> 00:01:59,100
‫so this is a trust policy for an IAM role.

54
00:01:59,100 --> 00:02:01,009
‫And this is saying that only the

55
00:02:01,009 --> 00:02:04,980
‫EC2 service, so this is in the principal service EC2,

56
00:02:04,980 --> 00:02:06,810
‫only this EC2 service has

57
00:02:06,810 --> 00:02:09,430
‫the trust to allow to assume that role

58
00:02:09,430 --> 00:02:10,750
‫and so we've been using this without

59
00:02:10,750 --> 00:02:13,010
‫knowing in the IAM policy,

60
00:02:13,010 --> 00:02:14,410
‫so let's have a look.

61
00:02:14,410 --> 00:02:17,520
‫But in IAM I go to roles and we can see

62
00:02:17,520 --> 00:02:19,540
‫here there's a role name and here there

63
00:02:19,540 --> 00:02:21,220
‫is a trusted entity,

64
00:02:21,220 --> 00:02:25,890
‫and so this allows a specific service to assume that role.

65
00:02:25,890 --> 00:02:27,832
‫So, for example, if we look at this

66
00:02:27,832 --> 00:02:31,350
‫AWS CodePipeline service and we open it

67
00:02:31,350 --> 00:02:32,670
‫we can see the permissions we have

68
00:02:32,670 --> 00:02:34,340
‫allowed on this CodePipeline service

69
00:02:34,340 --> 00:02:36,430
‫they're here in JSON, but the second time

70
00:02:36,430 --> 00:02:39,140
‫in here is called Trust relationships

71
00:02:39,140 --> 00:02:41,770
‫and this trust relationship is a policy document.

72
00:02:41,770 --> 00:02:43,253
‫So I'll click on Show policy document

73
00:02:43,253 --> 00:02:45,610
‫and this is the trust policy

74
00:02:45,610 --> 00:02:47,740
‫which allows the CodePipeline service

75
00:02:47,740 --> 00:02:49,310
‫to assume that role.

76
00:02:49,310 --> 00:02:50,920
‫So this is why here you see

77
00:02:50,920 --> 00:02:52,460
‫that the trusted identity providers

78
00:02:52,460 --> 00:02:55,820
‫are codepipeline.amazonaws.com,

79
00:02:55,820 --> 00:02:57,613
‫so this is the whole idea behind trust policy.

80
00:02:57,613 --> 00:02:59,550
‫But, you can have a look, there is

81
00:02:59,550 --> 00:03:02,030
‫a list of all the trusted entities in here.

82
00:03:02,030 --> 00:03:03,690
‫So if I scroll down, for example,

83
00:03:03,690 --> 00:03:05,930
‫and look at my Lambda functions so

84
00:03:05,930 --> 00:03:10,170
‫if I go to Lambda and look at lamda-dynamodb-demo-role,

85
00:03:10,170 --> 00:03:11,219
‫so this has a bunch of policies,

86
00:03:11,219 --> 00:03:13,085
‫but if I go to the trust relationship

87
00:03:13,085 --> 00:03:17,160
‫we can see the trust providers is lambda.amazonaws.com,

88
00:03:17,160 --> 00:03:19,455
‫which is, if I look at the JSON document,

89
00:03:19,455 --> 00:03:21,090
‫something like this.

90
00:03:21,090 --> 00:03:23,730
‫So that's it, this was the behind the scenes.

91
00:03:23,730 --> 00:03:25,180
‫So, again, to pass a role we

92
00:03:25,180 --> 00:03:27,130
‫first need to create the correct trust

93
00:03:27,130 --> 00:03:29,780
‫relationship, to allow the target service

94
00:03:29,780 --> 00:03:31,850
‫to assume it, and then finally we need to

95
00:03:31,850 --> 00:03:34,071
‫have the iam:PassRole permission to pass the

96
00:03:34,071 --> 00:03:35,787
‫role onto the target service.

97
00:03:35,787 --> 00:03:37,070
‫So that's it for me.

98
00:03:37,070 --> 00:03:38,450
‫I hope you liked it, and I will see you

99
00:03:38,450 --> 00:03:39,450
‫in the next lecture.