Create an IAM role with a trust policy
📑 On this page
Part 110 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
A role trust policy controls who may assume the role. Permission policies attached later control what an assumed session may do.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
cat > trust-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::$ACCOUNT_ID:root"},
"Action": "sts:AssumeRole"
}]
}
EOF
aws iam create-role \
--role-name "$ROLE_NAME" \
--assume-role-policy-document file://trust-policy.json \
--description "AWS from Zero temporary role" \
--tags Key=Series,Value=aws-from-zeroTrusting the account delegates the next decision to identity policies in that account; it does not automatically let every principal assume the role.
Inspect the result
aws iam get-role \
--role-name "$ROLE_NAME" \
--query "Role.{Name:RoleName,Arn:Arn,MaxSession:MaxSessionDuration,Trust:AssumeRolePolicyDocument}"Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam update-role \
--role-name "$ROLE_NAME" \
--max-session-duration 7200The role can allow sessions up to two hours, though role chaining has a stricter one-hour limit.
Common mistake
Do not confuse the trust policy with permissions. A perfectly assumable role with no permission policies can still do almost nothing.
Cleanup
rm trust-policy.json
aws iam get-role --role-name "$ROLE_NAME"Keep the role for the next STS lessons. Part 125 deletes it after removing policies.
Next, we will learn Inspect an IAM role and its trust policy.