Skip to main content

AWS IAM Role

Use of external data services in AWS will make charges your account. Please make sure to perform the cleanup per the notes at the bottom of the lab.

The following Lab focuses on creating an AWS IAM Role in support of Amazon Resources in Retool that employ Role to Assume (ARN). An AWS IAM Role is an identity that you create in AWS with specific permissions but isn't associated with a specific user or group. Instead, it's designed to be assumed by anyone who needs it and has permissions to assume it. Roles are the recommended mechanism to grant permissions to entities you trust, whether they're AWS services, applications, or users from other AWS accounts. They provide temporary security credentials, following the security best practice of least privilege access.

Requirements

To configure AWS IAM Roles the following is required:

  • AWS Account with Administrative user

Steps

AWS IAM Roles provide the path used for scoping permissions to least privileged. As an example, you may want to provide read-only access to an Amazon SQS queue. SQS has many privileges including sqs:SendMessage, sqs:DeleteMessage, sqs:ChangeMessageVisibility, sqs:PurgeQueue, sqs:CreateQueue, and more. Customer can employ AWS Managed Policies or Inline Policies for example to scope the permissions to what they require.

Create an AWS IAM Role for Amazon SQS using AWS Managed Permission Group

  • Login to AWS Management Console with a user that has administrative privileges to create AWS IAM Roles.
  • Select AWS Identity and Access Management (IAM)
  • Select Access management > Roles
  • Select Create role > AWS account > Next
  • Under Add permissions enter SQS. Select AmazonSQSFullAccess for the policy and select Next.
  • Under Role details specify a Role name of RetoolSQSRole and enter a description for the role.
  • Select Create role. Under search, type RetoolSQSRole so that you can retrieve the Amazon Resource Name, this is a unique value that is used in Retool or other systems to refer to the Role that you will assume. It will appears something like:
arn:aws:iam::<AWS Acccount ID>:role/RetoolSQSRole

Create an AWS IAM Role for Amazon SNS using AWS Managed Permission Group

  • Login to AWS Management Console with a user that has administrative privileges to create AWS IAM Roles.
  • Select AWS Identity and Access Management (IAM)
  • Select Access management > Roles
  • Select Create role > AWS account > Next
  • Under Add permissions enter SNS. Select AmazonSNSFullAccess for the policy and select Next.
  • Under Role details specify a Role name of RetoolSNSRole and enter a description for the role.
  • Select Create role. Under search, type RetoolSNSRole so that you can retrieve the Amazon Resource Name, this is a unique value that is used in Retool or other systems to refer to the Role that you will assume. It will appears something like:
arn:aws:iam::<AWS Acccount ID>:role/RetoolSNSRole