← All posts
2 min read

Create an IAM role with a trust policy

#aws#cli#iam#security#identity
📑 On this page

Part 110 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

A role trust policy controls who may assume the role. Permission policies attached later control what an assumed session may do.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

cat > trust-policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::$ACCOUNT_ID:root"},
    "Action": "sts:AssumeRole"
  }]
}
EOF
 
aws iam create-role \
  --role-name "$ROLE_NAME" \
  --assume-role-policy-document file://trust-policy.json \
  --description "AWS from Zero temporary role" \
  --tags Key=Series,Value=aws-from-zero

Trusting the account delegates the next decision to identity policies in that account; it does not automatically let every principal assume the role.

Inspect the result

aws iam get-role \
  --role-name "$ROLE_NAME" \
  --query "Role.{Name:RoleName,Arn:Arn,MaxSession:MaxSessionDuration,Trust:AssumeRolePolicyDocument}"

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam update-role \
  --role-name "$ROLE_NAME" \
  --max-session-duration 7200

The role can allow sessions up to two hours, though role chaining has a stricter one-hour limit.

Common mistake

Do not confuse the trust policy with permissions. A perfectly assumable role with no permission policies can still do almost nothing.

Cleanup

rm trust-policy.json
aws iam get-role --role-name "$ROLE_NAME"

Keep the role for the next STS lessons. Part 125 deletes it after removing policies.

Next, we will learn Inspect an IAM role and its trust policy.

Official AWS CLI reference