AWS Certified Solutions Architect - Associate (SAA-C02)

Sign Up Free or Log In to participate!

wanted to understand user role and policy and the association of them with user

can someone explain the user role vs policy in deep detail, eve a link will be helpfull

4 Answers

In a brief, the role is what should this user do in our system?, and it’s consisting of some policies, each policy represents some actions will be given to that user.

So the Role consists of one or more policy.

AFAIK, User is tied to physical user, whereas Role is tied to actual resource (EC2, S3 etc) in the AWS i.e. If EC2 resource needs to access S3 resource, it needs access permission for S3 and that comes from the Role. If EC2 has right Role which grants its to read S3, it can read file from S3 but can’t write. The Policy are set of rules usually defined in JSON which can be attached to User, Group or Roles.

Another thought would be a Role is something you assign to your users(Functions). While a Policy can either be custom made by the root account or managed by AWS themselves.

A role is more a temporary acquisition of a specific set of permissions as defined by a policy document. Most often, a "role" is assigned to an application rather than assumed by a specific user, but it is possible.

Consider you have a lambda function that takes input and stores something in S3 buckets. You wouldn’t need to create some kind of temporary user to provide lambda write permissions to S3: you would create a role. This role would then have an attached policy document and lambda is given the ability to assume this role. Then, when a batch of work comes in and lambda needs to write to S3, it can assume this available role to complete its work. A second role might give the same lambda access to EC2 compute for example. It breaks down permissions into granular actions that a service requires to complete a specific task.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?