docs/documentation/platform/pam/accounts/aws-iam.mdx
AWS IAM accounts let you manage access to AWS through IAM role assumption. Users can open the AWS console directly or use the CLI to get temporary credentials, and every access is logged.
Infisical assumes the IAM role you configure directly, then returns short-lived STS credentials. Those credentials work with the AWS CLI and can also be exchanged for a federated AWS Management Console sign-in URL.
<Note> AWS IAM accounts do not require a Gateway. Infisical communicates directly with the AWS STS API. </Note>When a user accesses an AWS IAM account, Infisical assumes the account's IAM role using AWS STS and returns the temporary credentials:
sequenceDiagram
participant User
participant Infisical
participant Role as IAM Role
(Your AWS Account)
participant Console as AWS Console
User->>Infisical: Request AWS access
Infisical->>Role: AssumeRole (with ExternalId = Org ID)
Role-->>Infisical: Temporary credentials
Infisical-->>User: Return credentials (CLI)
Infisical->>Console: Exchange for federation URL (Console)
Console-->>Infisical: Signed console URL
Infisical-->>User: Return console URL
There is a single role per account. Its trust policy allows Infisical to assume it, scoped by an External ID set to your Infisical Organization ID. The External ID prevents confused deputy attacks, where another Infisical customer could otherwise trick Infisical into assuming your role.
Before adding the account in Infisical, create the IAM role in your AWS account with a trust policy that allows Infisical to assume it.
<Steps> <Step title="Create the role with a trust policy"> Create an IAM role (e.g., `infisical-pam-readonly`) with the following trust policy. Replace `<INFISICAL_AWS_ACCOUNT_ID>` with the Infisical account ID for your region and `<YOUR_INFISICAL_ORG_ID>` with your Infisical Organization ID.```json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<INFISICAL_AWS_ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<YOUR_INFISICAL_ORG_ID>"
}
}
}]
}
```
<Warning>
Always include the External ID condition. Without it, another Infisical customer could potentially trick Infisical into assuming your role.
</Warning>
**Infisical AWS Account IDs:**
| Region | Account ID |
|--------|------------|
| US | `381492033652` |
| EU | `345594589636` |
<Note>
**For Dedicated Instances**: Your AWS account ID differs from the ones listed above. Contact Infisical support to obtain your dedicated AWS account ID.
</Note>
<Note>
**For Self-Hosted Instances**: Use the AWS account ID where your Infisical instance is deployed. This is the account that hosts your Infisical infrastructure and will be assuming the role.
</Note>
You can find your Infisical Organization ID under **Organization Settings**.
Sessions use short-lived STS credentials. The duration is bounded by the target role's maximum session duration in AWS (MaxSessionDuration), with a minimum of 15 minutes. Requesting longer than the role allows will cause AWS to reject the request, so set the role's MaxSessionDuration to cover the session lengths you expect.
All actions performed with the credentials are logged in AWS CloudTrail. The session is identified by the RoleSessionName, which includes the user's email for attribution.
```bash
infisical pam access my-folder/prod-admin-access
```
This creates a profile named `infisical-pam/my-folder/prod-admin-access` in `~/.aws/credentials`. Use it with the AWS CLI:
```bash
aws s3 ls --profile "infisical-pam/my-folder/prod-admin-access"
```
Or set the `AWS_PROFILE` environment variable:
```bash
export AWS_PROFILE="infisical-pam/my-folder/prod-admin-access"
aws sts get-caller-identity
```
Press **Ctrl+C** to stop and remove the credentials profile.
**Flags:**
- `--reason <reason>`: provide an access reason (if required by template)