Is "sts:AssumeRole" permission on nodes necessary?

[amorey]

Currently, the kube2iam documentation states that it is "necessary to create an IAM role which can assume other roles and assign it to each kubernetes worker" (https://github.com/jtblin/kube2iam#iam-roles) but I'm able to assume roles with only the trust relationship established.

AWS's documentation is a bit confusing but it seems like only the trust relationship is necessary when the principal is in the same account as the assumed role:

A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:

• Attach a policy to the user (identical to the previous user in a different account).
• Add the user as a principal directly in the role's trust policy.

In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.

https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

Can you confirm that it is not necessary to grant "sts:AssumeRole" permission to the node role?

[walkafwalka]

You are correct that there is an implicit trust relationship when in the same account and the IAM role is explicitly trusted. However, it is best practice to explicitly give permission to the role to assume roles too.