DEV Community

Cover image for Pixel & Spoon Hands-On: Creating IAM Roles 🎫

Pixel & Spoon Hands-On: Creating IAM Roles 🎫

Chapter 4.4 β€” Hands-on companion to Chapter 4: IAM: The Gatekeeper of AWS. Users have logins. Groups have policies. But Karthik the auditor needs temporary access β€” and the CI/CD bot isn't even a human. Both need Roles.


The Problem Users Can't Solve

So far at Pixel & Spoon we have:

  • Permanent IAM users for Aarav, Meera, Rohit, and Subham
  • Groups that manage their permissions cleanly
  • Custom policies with only what each role needs

But two situations just came up that users and groups can't handle well.

Situation 1 β€” Karthik, the External Auditor

Pixel & Spoon needs a compliance audit. Karthik is brought in for one week. He needs read-only access to review the AWS setup.

You could create an IAM user for him. But then what? After the audit, you have to remember to delete it. Miss that, and there's a dormant login sitting in your account indefinitely β€” a security risk with no benefit.

Situation 2 β€” The CI/CD Bot

Pixel & Spoon's deployment pipeline automatically pushes new code to AWS every time Aarav commits an update. This process needs AWS access to do its job.

But it's not a person. It can't log in with a username and password. Hardcoding AWS credentials into the deployment script is the worst possible option β€” if that script ever leaks, your entire account is exposed.

Both situations need the same solution: IAM Roles.


🎫 What Makes Roles Different

Think back to Chapter 4's office building analogy.

Users are permanent employees with ID badges that don't expire.

Roles are visitor passes β€” temporary credentials issued for a specific purpose, that expire automatically, and can be assumed by whoever needs them at that moment.

alt text

πŸ‘€ IAM User     β†’  Permanent identity, long-term credentials
                   Belongs to one specific person or system

🎫 IAM Role     β†’  Temporary identity, short-lived credentials
                   Can be assumed by users, services, or other accounts
                   Expires automatically β€” no cleanup needed
Enter fullscreen mode Exit fullscreen mode

No hardcoded passwords. No forgotten logins. Clean, auditable, automatic.


πŸ› οΈ Part 1: Creating a Role for Karthik (Human Temporary Access)

We'll create a role that Karthik can assume for half a day, giving him read-only access to review Pixel & Spoon's setup.


Step 1 β€” Open IAM β†’ Roles

Search IAM in the console β†’ left sidebar β†’ Roles β†’ orange Create role button.

alt text


Step 2 β€” Choose Trusted Entity Type

You'll see four options for who can assume this role:

β—‹ AWS service
     An AWS service like EC2 or Lambda assumes the role automatically.
     Used when your own infrastructure needs to talk to other AWS services.
     Example: a server that uploads files to S3 without hardcoded passwords.

β—‹ AWS account          ← Karthik's option
     A person or system from another AWS account assumes the role.
     Used for external collaborators, auditors, or cross-team access.
     Example: Karthik logging in from his own company's AWS account.

β—‹ Web identity
     Users who sign in via Google, Facebook, Amazon Cognito, etc.
     Used for mobile or web apps where end users need temporary AWS access.
     Example: a user logs into your app with Google and gets access to their own S3 folder.

β—‹ SAML 2.0 federation
     Employees who sign in via a company identity system (like Okta or Active Directory).
     Used by large organisations that already have their own login infrastructure.
     Example: all 500 employees at a company use their work email to access AWS β€” no separate IAM users needed.
Enter fullscreen mode Exit fullscreen mode

Karthik is from an external company with their own AWS account. Select AWS account.

Enter "Another AWS account" and type in Karthik's company AWS account ID.

πŸ’‘ If Karthik doesn't have an AWS account, choose "This account" instead and you'll let him switch into the role from a temporary IAM user you create. For now we'll assume he has his own account.

Tick "Require MFA" β€” this means even after assuming the role, Karthik must have MFA active. Good practice for any external access.

Click Next.

alt text


Step 3 β€” Attach a Permission Policy

Search for and select:

ReadOnlyAccess
Enter fullscreen mode Exit fullscreen mode

This is an AWS-managed policy that gives read-only access across all AWS services β€” Karthik can look at everything but change nothing. Perfect for an audit.

If You can not find it, Select AWSManaged - job-function Filter and then search for ReadOnlyAccess.

alt text

Click Next.


Step 4 β€” Name the Role

Role name:   PixelSpoon-Auditor-ReadOnly
Description: Temporary read-only access for external auditors.
             Requires MFA. Maximum session 12hours.
Enter fullscreen mode Exit fullscreen mode

Click Create role.

alt text


Step 5 β€” Set the Maximum Session Duration

Click into the role you just created β†’ Edit next to "Maximum session duration" β†’ set it to 12 hours (the maximum AWS allows for role sessions).

This means Karthik's assumed session automatically expires after 12 hours. No manual cleanup required.

alt text


Step 6 β€” Share the Role ARN with Karthik

On the role summary page, copy the Role ARN β€” it looks like:

arn:aws:iam::563960656008:role/PixelSpoon-Auditor-ReadOnly
Enter fullscreen mode Exit fullscreen mode

Send this to Karthik. He uses it to "switch roles" inside his own AWS console β€” his credentials stay his own, but he temporarily gains your role's permissions for the duration of the audit.

When the time is over, his session expires. Nothing to delete. Nothing to forget.


πŸ€– Part 2: Creating a Service Role for the CI/CD Bot

Now for the trickier one β€” the deployment bot.

This isn't a human assuming a role. It's an AWS service (in this case, we'll use EC2 as the example, since the bot runs on a server) that needs permission to deploy code to other AWS services.


Step 1 β€” Create Role β†’ AWS Service

IAM β†’ Roles β†’ Create role β†’ select AWS service.

Under "Service or use case," select EC2.

This tells AWS: "I want to create a role that an EC2 instance can assume."

Click Next.

Select Trusted Entity as AWS Service AWS Console Screenshot


Step 2 β€” Attach the Right Policy

The CI/CD bot needs to deploy code β€” which in Pixel & Spoon's case means pushing files to S3 and triggering deployments. Search for and attach:

AmazonS3FullAccess
Enter fullscreen mode Exit fullscreen mode

For a real deployment pipeline you'd write a tighter custom policy (Least Privilege again), but for this walkthrough this gets us moving.

Click Next.

alt text

πŸ€” "Wait β€” why S3? Can't we just store the code directly on EC2?"

Quick context before we answer β€” if these terms are new to you:

EC2 is a virtual server on AWS β€” the machine that runs your code.
Think of it as a computer in the cloud. We cover it fully in Chapter 5.

S3 is AWS's storage service β€” like a hard drive in the cloud that
exists independently of any server. We cover it fully in Chapter 8.

Now β€” back to the question.

Yes, you can store deployment files directly on EC2. In simple
setups, people do exactly that.

But here's the problem:

EC2 instances can be stopped, replaced, or terminated at any time β€”
especially once we add Auto Scaling in Chapter 6. When that happens,
everything stored locally on that instance is gone.

S3 lives outside any single server. Your files sit there safely,
and it doesn't matter how many EC2 instances come and go β€”
the files are always available.

Think of it like this:

EC2 is the chef. S3 is the pantry.
You don't store the ingredients inside the chef.

We'll cover both properly in their own chapters β€” for now,
just know this is exactly the kind of problem S3 was built to solve.


Step 3 β€” Name the Role

Role name:   PixelSpoon-CICD-DeployRole
Description: Service role for CI/CD deployment bot.
             Assumed by EC2. Allows S3 deploy access.
Enter fullscreen mode Exit fullscreen mode

Click Create role.


Step 4 β€” Attach the Role to Your EC2 Instance

When you launch the EC2 instance that runs the deployment bot (we'll do this properly in Chapter 5), there's an option called IAM instance profile β€” this is where you select PixelSpoon-CICD-DeployRole.

The instance then automatically receives temporary, rotating credentials for this role. No passwords. No access keys stored in code. AWS handles credential rotation completely.

πŸ€– CI/CD Bot (EC2 instance)
        β”‚
        β”‚  assumes role automatically
        ↓
🎫 PixelSpoon-CICD-DeployRole
        β”‚
        β”‚  grants permission to
        ↓
πŸͺ£ S3 Bucket  β†’  deploys files
Enter fullscreen mode Exit fullscreen mode

This is considered the gold standard for giving AWS services access to other AWS services. You'll see this pattern everywhere as the series progresses.


βœ… Where Pixel & Spoon Stands Now

The IAM setup is complete. Here's the full picture:

🏒 Pixel & Spoon β€” AWS Account

πŸ”’ Root account          β†’  Locked with MFA. Used for emergencies only.

πŸ‘₯ Developers Group      β†’  PixelSpoon-Developer-EC2 policy
        └── aarav-dev
        └── subham-dev

πŸ‘₯ Designers Group       β†’  AmazonS3FullAccess
        └── meera-design

πŸ‘₯ Admins Group          β†’  AdministratorAccess
        └── rohit-devops

πŸ‘€ divya-intern          β†’  PixelSpoon-Intern-ReadOnly (direct attach, temp)

🎫 PixelSpoon-Auditor-ReadOnly    β†’  For Karthik, expires in 12 hours
🎫 PixelSpoon-CICD-DeployRole     β†’  For the deployment bot, assumed by EC2
Enter fullscreen mode Exit fullscreen mode

Every identity has exactly the access it needs. Nothing more.

That's Least Privilege β€” applied end to end across a real team.


πŸ—ΊοΈ Continue the Hands-On Series

Ch 4.1 β€” βœ… Creating IAM Users

Ch 4.2 β€” βœ… Creating and Managing IAM Groups

Ch 4.3 β€” βœ… Writing and Attaching IAM Policies

Ch 4.4 β€” βœ… Creating IAM Roles: Human & Service (you are here)

The IAM arc is complete. Pixel & Spoon's account is secured, organised, and ready to actually build something.

Aarav has been waiting patiently. It's time to give him a server.

πŸ‘‰ Chapter 5: EC2 β€” Your First Server in the Cloud β†’ (Read it here)


Resources I'm learning from:


Top comments (0)