📘 AWS IAM Roles Explained Desi-Style — Guest Lecturers, Inter-School Passes & Temporary IDs! (Part 3)

🎒 Welcome back to the IAM School Series – Part 3!

We’ve already decoded:

• 🧾 IAM Policies (Hall Passes)
• 🚧 Permission Boundaries
• ⛔ Explicit Deny

But what about guests, temporary permissions, and inter-school exchanges?

---

🎭 Part 3: "Guest Lecturers aur Inter-School Guests ka Raaz – IAM Roles & STS"

Ever wondered:

“Yeh sts:AssumeRole kya hai?”

“Kaise ek Lambda doosre account ka access le leti hai?”

Time to simplify this with our school analogy!

---

🏫 Meet the Role System — School Guest Management

IAM Concept	School Analogy	Purpose
IAM Role	Guest Lecturer ID Card	Temporary identity with specific permissions
sts:AssumeRole	Principal Signs the Guest Entry Form	Grants temporary permission to act like a role
Temporary Credentials	Visitor Badge Valid for Few Hours	Short-term access for specific duties

---

🏫 School Example: Mr. Sharma, The Guest Lecturer

🎓 A teacher from another school (School A) visits our school (School B) to teach a class in Room 7B (DynamoDB table).

Steps:

1. 📝 Mr.Sharma fills out a guest entry form
   
   (sts:AssumeRole request from Account A)

2. 🧾 The Principal of School B signs and approves it
   
   (Trust Policy in Account B allows Mr. Sharma to assume the role)

3. 📋 Mr. Sharma receives a temporary visitor badge
   
   (Temporary credentials issued by STS)

4. 🧑‍🏫 Mr. Sharma teaches in Room 7B only
   
   (Access limited to a specific DynamoDB table)

---

💻 Real AWS Example: Cross-Account DynamoDB Access using IAM Role

Let’s assume:

• Account A (ID: 111111111111) – where IAM user mr-sharma exists
• Account B (ID: 222222222222) – owns the role and the DynamoDB table Room7B

---

🛂 Trust Policy in Account B (GuestLecturerRole):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:user/mr-sharma"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

🧠 This trust policy allows mr-sharma from Account A to assume the GuestLecturerRole in Account B.

✅ Role Permissions in Account B (GuestLecturerRole):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dynamodb:PutItem"],
      "Resource": "arn:aws:dynamodb:<REGION>:222222222222:table/Room7B"
    }
  ]
}

🧠 This role grants write access (e.g., teaching = putting data) to the Room7B DynamoDB table.

---

🔁 Assume Role from Account A (CLI Command):

aws sts assume-role \
  --role-arn arn:aws:iam::222222222222:role/GuestLecturerRole \
  --role-session-name SharmaGuestSession

📦 This command returns temporary credentials:

• AccessKeyId
• SecretAccessKey
• SessionToken

⚙️ Use these credentials to perform DynamoDB actions, for example:

aws dynamodb put-item \
  --table-name Room7B \
  --item '{"StudentID": {"S": "1994"}, "Attendance": {"S": "Present"}}' \
  --region <REGION>

---

⏳ Result:

mr-sharma from Account A can temporarily access the Room7B DynamoDB table in Account B using the GuestLecturerRole.

🔐 This only works because:

• ✅ The trust policy permits role assumption
• ✅ The role permissions grant required DynamoDB access
• ✅ The user assumes the role correctly via STS

🎓 Just like in school — a guest lecturer can teach in a specific classroom, only after the principal signs off and rules are followed!

---

🧠 What is STS Exactly?

Security Token Service (STS) = Principal’s signature authority for guest IDs.

• 🪪 Issues temporary credentials
• 🔁 Used for cross-account, cross-service, or time-limited access
• ⏱️ Temporary creds = Expire in minutes to hours
• 🔐 Highly secure — just like a valid visitor ID!

---

✅ Summary — IAM Roles & STS = Guest Access Done Right

IAM Concept	School Analogy	AWS Use Case
IAM Role	Guest Lecturer ID Card	Predefined permissions someone can assume
sts:AssumeRole	Entry approval by Principal	Grants temporary access via trust policy
Temporary Credentials	Visitor Badge	Time-limited, session-based AWS access

---

🔜 Coming Up Next: Part 4 — Temporary Workers, Interns, and Lambda Roles!

🎯 In Part 4, we’ll explore:

• Lambda roles
• EC2 instance roles
• Default session timeouts
• Use cases like: “Intern ko sirf 1 din ke liye access dena hai, kaise karein?”

📚 Stay tuned — IAM school ki kahani abhi baaki hai mere dost! 🚀

---

👨‍💻 About Me

Hi! I'm Utkarsh, a Cloud Specialist & AWS Community Builder who loves turning complex AWS topics into fun chai-time stories ☕

👉 Explore more

---

🗣️ Your Feedback = My Fuel

If this made IAM:

• Easy to understand 💡
• Fun to learn 🎉
• Or gave you a school flashback 🎒

Then share it, comment, or just say hi — it helps me keep the chai warm and the blogs coming! ☁️💻

---

Jai Cloud! Jai Code! Jai IAM! 🇮🇳🚀