What is a Trust Policy in IAM?

Leave a reply

In AWS Identity and Access Management (IAM), a trust policy is a special type of policy attached to an IAM role. It defines who (which principals) can assume the role.

  • Unlike permission policies (which define what actions a role or user can perform), a trust policy defines who is allowed to use the role.

Think of it like this:

  • Permission policy โ†’ “What can you do once you have the role?”
  • Trust policy โ†’ “Who is allowed to wear the role in the first place?”

Why is it Useful?

  • It controls cross-account access (e.g., allowing another AWS account to assume your role).
  • It enables AWS services (like EC2, Lambda, or ECS) to assume roles on your behalf.
  • It ensures secure delegation of permissions without sharing long-term credentials.

Example of a Trust Policy

Hereโ€™s a simple JSON trust policy that allows EC2 instances to assume a role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Yesterday

What is use of trust policy in IAM and explain it and give example on it

Great question! Letโ€™s break this down clearly:

๐Ÿ”‘ What is a Trust Policy in IAM?

In AWS Identity and Access Management (IAM), a trust policy is a special type of policy attached to an IAM role. It defines who (which principals) can assume the role.

  • Unlike permission policies (which define what actions a role or user can perform), a trust policy defines who is allowed to use the role.

Think of it like this:

  • Permission policy โ†’ “What can you do once you have the role?”
  • Trust policy โ†’ “Who is allowed to wear the role in the first place?”

๐Ÿ“Œ Why is it Useful?

  • It controls cross-account access (e.g., allowing another AWS account to assume your role).
  • It enables AWS services (like EC2, Lambda, or ECS) to assume roles on your behalf.
  • It ensures secure delegation of permissions without sharing long-term credentials.

๐Ÿ›  Example of a Trust Policy

Hereโ€™s a simple JSON trust policy that allows EC2 instances to assume a role:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Explanation:

  • Principal โ†’ Defines who can assume the role. Here, itโ€™s the EC2 service.
  • Action โ†’ sts:AssumeRole is the only action allowed in trust policies.
  • Effect โ†’ “Allow” means EC2 is permitted to assume this role.

๐ŸŒ Example: Cross-Account Access

Suppose you want to allow an IAM user from another AWS account (Account B) to assume a role in your account (Account A):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/ExternalUser"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Here:

  • The Principal is an IAM user from another account.
  • This lets that user temporarily assume the role and gain the permissions attached to it.

In short: A trust policy answers โ€œWho can assume this role?โ€, while a permission policy answers โ€œWhat can this role do once assumed?โ€.