Write a custom IAM policy in JSON, create an EC2 service role with a trust policy, attach the policy to a user and the role, and simulate permissions ā all from the CLI.
Before writing policy documents, understand when to use a role instead of a user. Then re-create the devops-student user that was cleaned up at the end of Lesson 102.
aws iam create-user --user-name devops-studentAn IAM user is a permanent identity with long-lived credentials (access keys).
An IAM role is a temporary identity that any trusted principal ā an AWS service, another account, or a federated user ā can assume.
Roles issue short-lived session tokens via AWS STS rather than permanent keys.
EC2 instances, Lambda functions, and other AWS services use roles (not users) to interact with the AWS API.
Because Lesson 102 cleaned up devops-student, run the create-user command above to recreate it for this lesson's exercises.
JSON output confirming the new user:
{
"User": {
"Path": "/",
"UserName": "devops-student",
"UserId": "AIDAIOSFODNN7EXAMPLE",
"Arn": "arn:aws:iam::123456789012:user/devops-student",
"CreateDate": "2024-01-15T10:00:00+00:00"
}
}
Record the Arn ā you will need it in step 8 for the policy simulation.