AWS IAM Trust Relationship Simulation

Learn how IAM roles and trust relationships work together

1
Initial Setup
2
Attach Policy
3
Trust Relationship
4
Assume Role
5
Verification
6
Credentials

Initial Setup

Step 1/6

AWS account with a User (DevUser) and Role (SageMakerRole)

DevUser

Identity:
arn:aws:iam::123456789012:user/DevUser
Attached Policy:
AssumeRoleSageMakerPolicy
{ "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::123456789012:role/SageMakerRole" }

SageMakerRole

Role ARN:
arn:aws:iam::123456789012:role/SageMakerRole
Trust Relationship:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/DevUser" }, "Action": "sts:AssumeRole" }] }

AssumeRole API Call

$ aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/SageMakerRole \
  --role-session-name DevUserSession

Access Verification

User Policy
✓ Has sts:AssumeRole
AND
Role Trust
✓ Trusts DevUser

Temporary Credentials Issued

Response:
{ "Credentials": { "AccessKeyId": "ASIA2EXAMPLE3EXAMPLE", "SecretAccessKey": "wJalrXUt...K7MDENG/bPxRfiCY", "SessionToken": "FwoGZXI...R8H5dNLFC", "Expiration": "2025-03-19T16:00:00Z" }, "AssumedRoleUser": { "AssumedRoleId": "AROA2EXAMPLE:DevUserSession", "Arn": "arn:aws:sts::123456789012:assumed-role/SageMakerRole/DevUserSession" } }
Role successfully assumed!
DevUser now has temporary credentials to use SageMakerRole permissions