Trust policy

A trust policy in AWS is a JSON document that defines which principals (entities) are allowed to assume a role. It's a crucial component of IAM roles that determines who can use the role's permissions.

Here's a breakdown with an example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com",
                "AWS": "arn:aws:iam::123456789012:user/DevUser"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": "us-east-1"
                }
            }
        }
    ]
}

Key components of a trust policy:

Version: Always "2012-10-17" (current version of the policy language)
Principal: Specifies who can assume the role:
- AWS services (like EC2, Lambda)
- AWS accounts
- IAM users
- IAM roles
Effect: Either "Allow" or "Deny"
Action: Usually "sts:AssumeRole" for trust policies
Condition (optional): Additional requirements that must be met

Common use cases:

Allowing EC2 instances to access other AWS services
Cross-account access
Enabling AWS services to perform actions on your behalf
Federation with external identity providers

Would you like me to provide more specific examples for any particular use case?

PreviousIAM Policy Examples NextIAM roles cannot be attached to IAM Groups

Last updated 8 months ago

Was this helpful?