IAM Identities

Users and roles are the foundation of IAM access control. Users represent individual identities, while roles group permissions that can be assumed by users or other Deployport services.

Managing Users

Creating Users

Create a new user in your account:

deployport iam users create <username>

Example:

deployport iam users create john-developer

Note

New users start with no policies attached, meaning they have no permissions until policies are explicitly assigned. To assign permissions to your newly created user, learn how to create and attach identity policies.

Managing Roles

A role is a collection of permissions that can be assumed by users or services to perform specific tasks. Unlike users, roles are not permanent identities - they provide temporary access to resources based on the policies attached to them. This makes roles ideal for applications, cross-service access, and situations where you need to delegate specific permissions without sharing long-term credentials.

Creating Roles

Create a new role for grouping permissions:

deployport iam roles create <rolename>

Example:

deployport iam roles create developer-access

Note

New roles start with no policies attached, meaning they have no permissions until policies are explicitly assigned. To assign permissions to your newly created role, learn how to create and attach identity policies.

Assuming Roles

Role assumption allows users to temporarily gain the permissions of a role, providing secure access to resources without permanent credential assignment.

To assume a role and get temporary credentials with that role’s permissions:

deployport iam roles assume <role-name>

Example:

deployport iam roles assume r1

This will output a temporary Access Key ID and Secret Access Key that inherit the permissions of the assumed role. You can use these credentials in a terminal, from an app, or in SDKs.

apiVersion: deployport.com/v1
kind: AssumedRoleContext
metadata:
  name: r1
spec:
  accessKeyID: "<example>"
  secretAccessKey: "<example>"
  region: us-east-1

I have role assumption credentials, how can I test or use them?

The quickest way is to use a separate profile in your local computer to test the credentials.

Say we want to name such profile temp-role, you could assume the role and configure it in another profile with a single command by piping deployport iam role assume and deployport configure assume:

deployport iam role assume r1 | deployport configure --profile=temp-role assume

The temp-role profile on your machine now has the credentials assumed for the role.

Linux & Mac

export DEPLOYPORT_PROFILE=temp-role

Windows

$env:DEPLOYPORT_PROFILE="temp-role"

Now you can run any other deployport command and it will use your role credentials.

Is there another way to test role credentials?

A more manual and advanced approach is to grab accessKeyID, secretAccessKey, and region and pass them directly to deployport configure as follows:

deployport configure -i <ACCESS_KEY_ID> -k <SECRET_ACCESS_KEY> -r <REGION>

Best Practices

• Users for People: Create individual users for each person who needs access
• Roles for Applications: Use roles for applications, services, and temporary access patterns
• Meaningful Names: Use descriptive names that indicate the user’s role or the role’s purpose
• Regular Review: Periodically review users and roles to ensure they’re still needed

What’s Next?

Learn how to create and attach identity policies to grant permissions to your users and roles.