Tag: Confused Deputy


How to Use External ID When Granting Access to Your AWS Resources

by Craig Liebendorfer | on | in Best Practices | | Comments

When you need to grant access to your AWS resources to a third party, we recommend you do so using an IAM role with external ID. In this post, Josh Bean, a programmer writer on the AWS Identity and Access Management (IAM) team, walks you through a scenario to show you how.


At times, you will want to provide a third party with access to your AWS resources. A recommended best practice is to use IAM roles. If you haven’t used roles before, they provide a mechanism to grant access to your AWS resources without needing to share long-term credentials (for example, an IAM user’s access key). Let’s say you want to use an offering from a member of the AWS Partner Network (APN) that monitors your AWS account and provides advice to optimize costs. In order to track your daily spending, the APN Partner (Partner) will need access to your AWS resources. Though you could provide that Partner with the credentials of an IAM user, we highly recommend you use a role. You can learn more about roles in the IAM user guide.

In this post, I’ll describe the scenario of granting a third party access to your AWS resources, and I’ll focus on one important but less known aspect of this scenario: the external ID. If you haven’t come across this term before, or if you have and want to know more, this post is for you! (more…)