You can also restrict the trust relationship so that the IAM role can be assumed only by specific IAM users. You can do this by specifying principals similar to arn:aws:iam::123456789012:user/example-username. For more information, see AWS JSON Policy Elements: Principal.
Create the IAM role and attach the policy
Create an IAM role that can be assumed by Bob that has read-only access to Amazon Relational Database Service (Amazon RDS) instances. Because this IAM role is assumed by an IAM user, you must specify a principal that allows IAM users to assume that role. For example, a principal similar to arn:aws:iam::123456789012:root allows all IAM identities of the account to assume that role. For more information, see Creating a Role to Delegate Permissions to an IAM User.
If you already have an access key for your account, we recommend the following: Find places in your applications where you are currently using that key (if any), replace the root user access key with an IAM user access key, and then disable and remove the root user access key. By default, AWS does not generate an access key for new accounts. The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources. For more information about creating policies, see key concepts in Using AWS Identity and Access Management.Here are sample policies.
1. Create the IAM role that has read-only access to Amazon RDS DB instances. Attach the IAM policies to your IAM role according to your security requirements.
The aws iam create-role command creates the IAM role and defines the trust relationship according to the contents of the JSON file. The aws iam attach-role-policy command attaches the AWS Managed Policy AmazonRDSReadOnlyAccess to the role. You can attach different policies (Managed Policies and Custom Policies) according to your security requirements. The aws iam list-attached-role-policies command shows the IAM policies that are attached to the IAM role example-role.
AWS Access Keys. Access Keys are used to sign the requests you send to Amazon S3. Like the Username/Password pair you use to access your AWS Management Console, Access Key Id and Secret Access Key are used for programmatic (API) access to AWS services. You can manage your Access Keys in AWS Management Console. Run the q command to close PostgreSQL, or run the exit command to close MySQL.Then, log out from the instance. Create an IAM role that allows Amazon RDS access. Open the IAM console, and choose Roles from the navigation pane. Choose Create role, choose AWS service, and then choose EC2. For Select your use case, choose EC2, and then choose Next: Permissions. Tutorial on AWS credentials and how to configure them using Access keys, Secret keys, and IAM roles. We teach you how to install the AWS Command Line Interface (CLI), create an access/secret key in IAM, configure credentials and profiles for AWS CLI and SDKs, what IAM roles are and when to use them, and more! You do not generate IAM Access Key / Secret Key for roles. AWS generates these for you and makes them available in the instance's metadata. The AWS Tools for Windows PowerShell will automatically extract the access key / secret key from the instance's metadata if you have installed PowerShell and the AWS Tools correctly.
In the video on the left, Emanuel shows you how to create an AWS access key for an existing IAM user
In the video on the right, Deren shows you how to create an access key ID for a new IAM user
I need an AWS access key to allow a program, script, or developer to have programmatic access to the resources on my AWS account. How do I create a new access key?
An access key grants programmatic access to your resources. This means that the access key should be guarded as carefully as the AWS account root user sign-in credentials.
It's a best practice to do the following:
Create an IAM user and then define that user's permissions as narrowly as possible.
Create the access key under that IAM user.
For more information, see What are some best practices for securing my AWS account and its resources?