IAM role for AWS workspace


I have created a AWS workspaces for some users. is there any way we can add IAM role with AWS workspaces same as we do with EC2 instances, So that they do not need AWS keys and can access AWS services as per IAM role attached with workspace?

Edited by: ashishnm1983 on Mar 20, 2020 1:07 PM

asked 3 years ago278 views
3 Answers
answered 3 years ago

This is a shame - the underlying VM is an EC2 instance, and so does actually have instance metadata available, the problem being that it's running as an EC2 instance in an AWS internal account rather than managed within your own.

With the current Workspaces arrangement (unlike the older TS based implementation) it seems this amounts to "can I grant IAM roles to someone else's EC2 instance", and unfortunately that doesn't seem to be possible at present. (It's possible to create a role and grant the Workspaces AWS account permission to use it, but granting access to that role to the EC2 instance itself would seem to need cooperation from the Workspaces EC2 account holder, which of course isn't available.)

It might not be too hard for AWS to add a Workspaces API call to associate a role - I'll raise this with our AWS contacts next week as a request.

As an interim measure I think I'll probably have to put IAM credentials in the user's AD object and retrieve those programmatically from within the instance, rather than being able to grab them straight from instance metadata, which is a bit of a shame but not the end of the world.

answered 3 years ago

Hey James,

May I ask if you were able to retrieve IAM credentials from AD object? With AWS DS SDK not exposing user-related information, it seems its not an an obvious task.
Only way out looks to be: To have let workspace user configure static access keys (with 0 access) and let him assume temporary elevated role for limited duration.

Edited by: nullpointergonewild on Feb 24, 2021 10:05 AM

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions