How to Create an IAM Role

  1. What is an entity in AWS?

  2. What is an IAM Role?

  3. Hands-on Lab Overview

  4. Hands-on Lab

    • To create an IAM Role via Management Console;

    • To create an IAM Role via AWS CLI;

    • To create an IAM Role via AWS SDK;

  5. References

What is an entity in AWS?

In the AWS context, an entity refers to any entity or object that interacts with AWS services. It can represent different entities depending on the specific context or perspective. Here are some examples of entities in AWS:

  • Users: Users are individuals who have AWS accounts and can interact with AWS services. They can be human users or applications that require access to AWS resources.

  • IAM Roles: IAM roles themselves can be considered entities. They represent a set of permissions and can be assumed by various entities, such as AWS services, applications, or users from different AWS accounts.

  • AWS Services: AWS services, such as Amazon S3, EC2, Lambda, or DynamoDB, are entities that provide specific functionalities and can interact with other AWS services or entities. They often require permission to access and manage resources.

  • Applications: Applications running on EC2 instances or serverless architectures, such as Lambda functions, can be entities that interact with AWS services and require appropriate permissions.

  • AWS Accounts: An AWS account itself can be considered an entity. It represents a customer's account and serves as a container for various resources and entities within the AWS environment.

  • Identity Providers: Identity providers, such as Active Directory, federated identity systems, or social identity providers, can also be entities in AWS. They enable federated authentication and allow users to access AWS resources using their existing credentials.

These are just a few examples of entities in the AWS context. The term "entity" is used broadly to encompass any object, user, service, or component that interacts with or is managed within the AWS ecosystem.

What is an IAM Role?

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

IAM roles define a set of permissions that determine what actions an entity can perform on AWS resources. These permissions are defined using IAM policies, which are JSON documents that outline the specific actions, resources, and conditions associated with the role.

IAM roles offer several advantages:

  1. Least privilege: IAM roles allow you to grant the minimum required permissions necessary for a particular task, reducing the risk of excessive access to resources.

  2. Easier administration: Instead of managing individual user accounts and their associated credentials, roles can be assigned to entities dynamically, simplifying the administration process.

  3. Cross-account access: IAM roles enable users or services from one AWS account to assume a role in another AWS account, allowing for controlled access to resources across accounts.

  4. AWS service integration: Many AWS services, such as EC2 instances, Lambda functions, and AWS Glue, can assume IAM roles to perform actions on behalf of those services. This allows for secure interactions between services and the ability to control permissions at a granular level.

IAM roles are commonly used in scenarios such as granting permissions to EC2 instances, enabling cross-account access, facilitating federated authentication, and providing permissions for AWS services.

Hands-on Lab Overview

In this hands-on lab, we will create a role for AWS services. We will create an IAM role for the EC2 instances and assign the role "IAMReadOnly" permission. This will allow the EC2 instance to read from IAM.

Also, we will create an IAM role via AWS Management Console, AWS CLI, and AWS SDK.

Hands-on Lab

Create an IAM role via Management Console

To create an IAM role in AWS via Management Console, follow these steps:

  1. Sign in to the AWS Management Console: Go to the AWS Management Console ( and sign in with your AWS account credentials.

  2. Open the IAM service: Once signed in, search for "IAM" in the AWS Management Console search bar

  3. Navigate to the Roles page: In the IAM console, click on "Roles" in the left-hand navigation menu. This will take you to the Roles page, where you can manage IAM roles.

  4. Click on "Create role": On the Roles page, click on the "Create role" button to start creating a new IAM role.

  5. Select the trusted entity: In the "Create role" wizard, you need to specify the trusted entity that can assume the role. This can be an AWS service, another AWS account, or a federated user.

  6. Set permissions: Next, you need to attach permissions policies to the IAM role. You can either choose from the existing policies or create a custom policy. Policies define the actions and resources that the role can access. Select the desired policies and click "Next" to proceed.

  7. Provide a name for the role: Enter a name for the IAM role that you are creating. Make sure the name is descriptive and meaningful.

  8. Review and create the role: Review the role's configuration on the review page and ensure all the details are accurate. If everything looks good, click on "Create role" to create the IAM role.

Create an IAM Role via AWS CLI

To create an IAM role using the AWS Command Line Interface (CLI), follow these steps:

  1. Configure the AWS CLI: Configure the AWS CLI with your AWS account credentials.

  2. Create an IAM role policy document: Create a JSON file that defines the permissions policy for the IAM role. For example, you can create a file named trust-policy.json with the following content:

         "Version": "2012-10-17",
         "Statement": [
             "Effect": "Allow",
             "Principal": {
               "Service": ""
             "Action": "sts:AssumeRole"
  3. Create the IAM role: Run the following AWS CLI command to create the IAM role:

     aws iam create-role --role-name EC2DemoRole --assume-role-policy-document file://trust-policy.json

    NOTE: Creating a separate role policy document is not necessary. Instead, you can directly specify the role's permissions using the --assume-role-policy-document parameter.

     aws iam create-role --role-name S3DemoRole --assume-role-policy-document
         "Version": "2012-10-17",
         "Statement": [
             "Effect": "Allow",
             "Principal": {
               "Service": ""
             "Action": "sts:AssumeRole"

    Check whether the role has been added via Management Console.

To create an IAM role via AWS SDK

To create an IAM role using the AWS SDK Node.js, follow these steps:

  1. Install the AWS SDK: Install AWS SDK using npm, the Node.js package manager, with the following command:

     npm init -y
     npm install aws-sdk
  2. Configure AWS credentials: Set up your AWS credentials to authenticate API requests.

     aws configure
  3. Create the IAM role: Create a file index.js. Enter the following code to the file.

     const AWS = require('aws-sdk');
     const iam = new AWS.IAM();
     const createRoleParams = {
       RoleName: 'EC2DemoRole',
       AssumeRolePolicyDocument: JSON.stringify({
         Version: '2012-10-17',
         Statement: [
             Effect: 'Allow',
             Principal: {
               Service: ''
             Action: 'sts:AssumeRole'
     iam.createRole(createRoleParams, function(err, data) {
       if (err) {
         console.log('Error creating IAM role:', err);
       } else {
         console.log('IAM role created successfully:', data.Role.RoleName);

    Adjust the RoleName and AssumeRolePolicyDocument parameters according to your requirements.

    The createRole callback function receives either an error or the response object containing information about the created IAM role. You can handle the response or log any errors as needed.

  4. Finally, run the command node index.js and check whether the role has been added via Management Console:

In summary, this role now can be assigned to AWS services, applications, or users to grant them the specified permissions. Remember to manage the roles and their associated permissions carefully to maintain security and least privilege principles within your AWS environment.


  1. IAM Roles