IAM role for AWS workspace

Looks like it is not possible

https://stackoverflow.com/questions/60776068/iam-role-for-aws-workspace

This is a shame - the underlying VM is an EC2 instance, and so does actually have instance metadata available, the problem being that it's running as an EC2 instance in an AWS internal account rather than managed within your own.

With the current Workspaces arrangement (unlike the older TS based implementation) it seems this amounts to "can I grant IAM roles to someone else's EC2 instance", and unfortunately that doesn't seem to be possible at present. (It's possible to create a role and grant the Workspaces AWS account permission to use it, but granting access to that role to the EC2 instance itself would seem to need cooperation from the Workspaces EC2 account holder, which of course isn't available.)

It might not be too hard for AWS to add a Workspaces API call to associate a role - I'll raise this with our AWS contacts next week as a request.

As an interim measure I think I'll probably have to put IAM credentials in the user's AD object and retrieve those programmatically from within the instance, rather than being able to grab them straight from instance metadata, which is a bit of a shame but not the end of the world.

Hey James,

May I ask if you were able to retrieve IAM credentials from AD object? With AWS DS SDK not exposing user-related information, it seems its not an an obvious task.
Only way out looks to be: To have let workspace user configure static access keys (with 0 access) and let him assume temporary elevated role for limited duration.

Edited by: nullpointergonewild on Feb 24, 2021 10:05 AM