docs/documentation/platform/pam/getting-started/resources/aws-iam.mdx
Infisical PAM supports secure, just-in-time access to AWS through STS role chaining. Each access request issues short-lived credentials that can be used directly with the AWS CLI or exchanged for a federated AWS Management Console sign-in URL. Both come from the same session, so there's no duplication and CloudTrail attribution stays consistent.
Unlike database or SSH resources that require a Gateway for network connectivity, AWS access works differently. Infisical uses AWS STS (Security Token Service) to assume roles on your behalf and returns the temporary credentials. Those credentials are usable directly by the AWS CLI, and can also be exchanged for a federated console sign-in URL on demand.
sequenceDiagram
participant User
participant Infisical
participant Resource Role as Resource Role
(Your AWS Account)
participant Target Role as Target Role
(Your AWS Account)
participant Console as AWS Console
User->>Infisical: Request AWS Console access
Infisical->>Resource Role: AssumeRole (with ExternalId)
Resource Role-->>Infisical: Temporary credentials
Infisical->>Target Role: AssumeRole (role chaining)
Target Role-->>Infisical: Session credentials
Infisical->>Console: Generate federation URL
Console-->>Infisical: Signed console URL
Infisical-->>User: Return console URL
User->>Console: Open AWS Console (federated)
Resource Role: An IAM role in your AWS account that trusts Infisical. This is the "bridge" role that Infisical assumes first.
Target Role: The IAM role that end users will actually use in the AWS Console. The Resource Role assumes this role on behalf of the user.
Role Chaining: Infisical uses AWS role chaining - it first assumes the Resource Role, then uses those credentials to assume the Target Role. This provides an additional layer of security and audit capability.
External ID: A unique identifier (your Infisical Project ID) used in the trust policy to prevent confused deputy attacks.
The session duration is set when creating the account and applies to all access requests. You can specify the duration using human-readable formats like 15m, 30m, or 1h. Due to AWS role chaining limitations:
15m)1h)Infisical tracks:
All actions performed in the AWS Console are logged in AWS CloudTrail. The session is identified by the RoleSessionName, which includes the user's email address for attribution:
arn:aws:sts::123456789012:assumed-role/pam-readonly/[email protected]
This allows you to correlate Infisical PAM sessions with CloudTrail logs for complete audit visibility.
Before configuring AWS Console access in Infisical PAM, you need to set up two IAM roles in your AWS account:
The PAM Resource represents the connection between Infisical and your AWS account. It contains the Resource Role that Infisical will assume.
<Steps> <Step title="Create the Resource Role Permissions Policy"> First, create an IAM policy that allows the Resource Role to assume your target roles. For simplicity, you can use a wildcard to allow assuming any role in your account:```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/*"
}]
}
```
<Note>
**For more granular control**: If you want to restrict which roles the Resource Role can assume, replace the wildcard (`/*`) with a more specific pattern. For example:
- `arn:aws:iam::<YOUR_ACCOUNT_ID>:role/pam-*` to only allow roles with the `pam-` prefix
- `arn:aws:iam::<YOUR_ACCOUNT_ID>:role/infisical-*` to only allow roles with the `infisical-` prefix
This allows you to limit the blast radius of the Resource Role's permissions.
</Note>
```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<INFISICAL_AWS_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<YOUR_INFISICAL_PROJECT_ID>"
}
}
}]
}
```
<Warning>
**Security Best Practice**: Always use the External ID condition. This prevents confused deputy attacks where another Infisical customer could potentially trick Infisical into assuming your role.
</Warning>
**Infisical AWS Account IDs:**
| Region | Account ID |
|--------|------------|
| US | `381492033652` |
| EU | `345594589636` |
<Note>
**For Dedicated Instances**: Your AWS account ID differs from the ones listed above. Please contact Infisical support to obtain your dedicated AWS account ID.
</Note>
<Note>
**For Self-Hosted Instances**: Use the AWS account ID where your Infisical instance is deployed. This is the account that hosts your Infisical infrastructure and will be assuming the Resource Role.
</Note>
Clicking **Create Resource** will validate that Infisical can assume the Resource Role. If the connection fails, verify:
- The trust policy has the correct Infisical AWS account ID
- The External ID matches your project ID
- The role ARN is correct
A PAM Account represents a specific Target Role that users can request access to. You can create multiple accounts per resource, each pointing to a different target role with different permission levels.
<Steps> <Step title="Create the Target Role Trust Policy"> Each target role needs a trust policy that allows your Resource Role to assume it:```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/InfisicalResourceRole"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<YOUR_INFISICAL_PROJECT_ID>"
}
}
}]
}
```
<ParamField path="Name" type="string" required>
A friendly name for this account (e.g., `readonly`, `admin`, `developer`)
</ParamField>
<ParamField path="Description" type="string">
Optional description of what this account is used for
</ParamField>
<ParamField path="Target Role ARN" type="string" required>
The ARN of the IAM role users will assume (e.g., `arn:aws:iam::123456789012:role/pam-readonly`)
</ParamField>
<ParamField path="Default Session Duration" type="string" required>
Session duration using human-readable format (e.g., `15m`, `30m`, `1h`). Minimum 15 minutes, maximum 1 hour.
<Warning>
Due to AWS role chaining limitations, the maximum session duration is **1 hour**, regardless of the target role's configured maximum session duration.
</Warning>
</ParamField>
Once your resource and accounts are configured, users can request access through Infisical. A single access request creates one session whose credentials power both the CLI and (optionally) the console. Clicking Open in AWS Console does not start a separate session.
<Steps> <Step title="Navigate to the resource"> Go to the **Resources** tab in your PAM project and open the AWS IAM resource. </Step> <Step title="Select the account"> In the resource's accounts section, find the AWS account you want to access. </Step> <Step title="Request Access"> Click the **Access** button for that account. Infisical will:1. Assume the Resource Role using your project's External ID
2. Assume the Target Role using role chaining
3. Return the temporary STS credentials to your browser
The credentials shown are valid until the configured session duration expires.
- **Access Key ID**
- **Secret Access Key**
- **Session Token**
Use them however your tooling expects. Common options:
- Export as environment variables (Bash / Zsh):
```bash
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...
```
- Equivalent `$env:` assignments in PowerShell
- Append to a named profile in `~/.aws/credentials`:
```ini
[infisical-pam]
aws_access_key_id = ASIA...
aws_secret_access_key = ...
aws_session_token = ...
```
All standard AWS SDKs and tooling will pick up the credentials automatically once they are in the environment or credentials file.