When you assume a role (user, application or service), you give up your original permissions and take the permissions assigned to the role. Why can't new permissions from the assumed role be added to the existing ones? Is this to avoid potential security issues when existing and new policies are mixed up?
Asked
Active
Viewed 367 times
3
-
Assuming an IAM Role can also grant permissions that you do _not_ have, especially when assuming an IAM Role from a different AWS Account. API calls will be made with credentials associated with the IAM Role, rather than your IAM User. So, you are effectively switching identity. – John Rotenstein Feb 06 '22 at 10:53
-
You don't give up your original permissions. You now have *two* sets of credentials: the original creds and the new creds associated with the assumed role, each with its own set of permissions. Switch between them as needed. – jarmod Feb 06 '22 at 16:25
-
How did it go? Still unclear why there is no chaining? – Marcin Feb 08 '22 at 04:34
1 Answers
3
It would be against least privilege rule. A permissions in a single role should be just enough for a given task to be completed.
Since a role can assume other role, and the other role can assume yet new role, and so on, the cumulative permissions after a chain of assumptions is against the least privilege rule.
Marcin
- 215,873
- 14
- 235
- 294