You can use Authorization Graph to understand and investigate how policies and policy statements allow one IAM role to assume another role and inherit its permissions. Use this Graph action to inspect
Last updated
Was this helpful?
Role assumption in AWS is managed through sets of policies and trust relationships. When an IAM role (the assumer) assumes another role (the assumee), it temporarily acquires the permissions assigned to the assumee. Two main components govern assume role operations:
IAM Policies attached to the assumee role define what actions the role can perform, and on which resources.
Trust Policies attached to the assumee role, specifying which principals (users, roles, or AWS services) can assume the role under what conditions.
In Authorization Graph, the dot on the right side of an assumer role will connect to the dot on the left side of its assumee roles. In this example search, the AAD-Admin role can assume a variety of other roles:
The Explain Assume Role tool offers insight into these relationships. It visually represents how roles are interconnected, including the policies and policy statements that enable the operation.
To explain assumed roles:
Go to Access Visibility > Graph and search for a relationship involving AWS IAM Roles, such as Okta Users to AWS S3 buckets.
In the search results, click on an AWS IAM Role that can assume another role.
In the actions sidebar, click Explain Assume Role.
Inspect the results in the Explain Assumed Roles view:
Assumer: The origin role, which you picked in Authorization Graph.
Assumee: The assumed role. Use the dropdown menu to select other roles available to the assumer.
Policy: The AWS IAM Policy entity (such as an inline policy), which specifies actions and resources available to users with the role.
Policy Statement: The specific statement within the policy allowing the assume role operation.
Policy (Trust): The role-specific trust policy attached to the assumee, defining the principals allowed to assume it, and additional conditions, ex:
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:Cct02aSu"
},
"Action": "sts:AssumeRole"
}
]In this example, The Assumer role, Cct02aSu, can assume the permissions of an Assumee role DBWriteGroup. The AdministratorAccess policy linked to the Assumer outlines the general permissions. The corresponding policy statement specifies conditions under which role assumption can occur. The DBWriteGroup Trust Policy establishes a trust relationship, allowing the Assumer role to assume the Assumee role, possibly under specific conditions.
