DEV Community

arun jagtap
arun jagtap

Posted on

🪪 Understanding AWS IAM Roles, STS, and Trust Policies – With a Real-Life Analogy

If you’ve ever been confused by AWS terms like AssumeRole, STS, and Trust Policies, you’re not alone.

Here’s the simplest way to understand them — using something we all recognize: ID cards, employees, and security desks.

🧠 Key Concept

Think of AWS like a secure building. Inside this building are restricted areas like:

📦 A storage room (S3)

🔐 A vault (Secrets Manager)

🧾 A database office (DynamoDB)

To get into these areas, you need an ID card with the right permissions.

🧾 IAM Role = ID Card
An IAM Role is like a special ID card that says:

“Whoever holds this card can access the storage room and the vault.”

It doesn’t belong to a specific person — but it has permissions attached to it.

👨‍💼 Principal = Trusted Employee
A Principal is someone who is allowed to borrow the ID card.

For example:

An EKS Pod

A Lambda function

An IAM User

The Trust Policy defines which employees are trusted to borrow the card.

🛡️ STS (Security Token Service) = Security Desk
STS is like the security desk in the building.

When a trusted employee (e.g., an EKS pod) walks up to the security desk and says:

“I’d like to assume the StorageAccess role,”

STS checks the Trust Policy:

Is this pod allowed to use this role?

✅ If yes → STS gives the pod a temporary ID card

⏱ That ID card works for 15 minutes to 1 hour (short-lived credentials)

🔄 Real-Life Flow
Here’s how it all fits together in AWS:

🧑 An EKS pod starts up and wants to access S3.

📇 The pod uses its service account to ask STS to assume a role.

🛡️ STS checks if the pod is a trusted principal.

✅ If allowed, STS gives the pod temporary AWS credentials.

🔐 The pod uses these credentials to access S3, DynamoDB, etc.

📌 Quick Summary Table
AWS Term Real-Life Analogy
IAM Role ID card with access permissions
Principal Employee allowed to use the card
STS Security desk giving temporary cards
AssumeRole Asking to borrow the card
Trust Policy List of trusted employees

✅ Final Words

Understanding IAM roles becomes easy when you think in real-world terms.
Next time you see AssumeRole, just remember:

“It’s like borrowing an ID card from security to access a room you’re allowed into — but only temporarily.”

Top comments (0)