Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Every cloud has the same three primitives — humans, workloads, and the policies that bind them — but each calls them something different and each has a slightly different evaluation order. Get IAM wrong and either nothing works (deny-by-default) or everything is exposed (over-broad wildcard policies). Modeling identity correctly on day one saves you a security incident on day 200.
Create a least-privilege identity for a workload on each cloud and verify it can do exactly one thing.
/owner or /editor — these are over-broad and should be replaced with predefined or custom roles.assume-role (AWS) or workload identity federation (GCP) and write a one-sentence summary of how a CI runner would authenticate without a long-lived key.Use these three in order. Each builds on the one before.
In one paragraph, explain IAM users vs roles vs service accounts like I'm new to it, with a concrete example of when each is the right tool.
Walk me through how an EC2 instance with an attached IAM role actually obtains and rotates credentials step by step — from the metadata service IMDSv2 call to the temporary STS token in memory.
Given a CI/CD pipeline in GitHub Actions that needs to deploy to AWS, Azure, and GCP without storing any long-lived secrets, design the federated identity setup for all three.
# Create an IAM role assumable by EC2 with read-only S3
cat > trust.json <<'EOF'
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"ec2.amazonaws.com"},"Action":"sts:AssumeRole"}]}
EOF
aws iam create-role --role-name CapstokS3RO --assume-role-policy-document file://trust.json
aws iam attach-role-policy --role-name CapstokS3RO \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# Inspect what the role can actually do
aws iam list-attached-role-policies --role-name CapstokS3RO
aws iam simulate-principal-policy \
--policy-source-arn $(aws iam get-role --role-name CapstokS3RO --query Role.Arn --output text) \
--action-names s3:GetObject s3:DeleteObject