Skip to main content
Infisical PAM supports secure, just-in-time access to the AWS Management Console through federated sign-in. This allows your team to access AWS without sharing long-lived credentials, while maintaining a complete audit trail of who accessed what and when.

How It Works

Unlike database or SSH resources that require a Gateway for network connectivity, AWS Console access works differently. Infisical uses AWS STS (Security Token Service) to assume roles on your behalf and generates temporary federated sign-in URLs.

Key Concepts

  1. Resource Role: An IAM role in your AWS account that trusts Infisical. This is the “bridge” role that Infisical assumes first.
  2. Target Role: The IAM role that end users will actually use in the AWS Console. The Resource Role assumes this role on behalf of the user.
  3. Role Chaining: Infisical uses AWS role chaining - it first assumes the Resource Role, then uses those credentials to assume the Target Role. This provides an additional layer of security and audit capability.
  4. External ID: A unique identifier (your Infisical Project ID) used in the trust policy to prevent confused deputy attacks.

Session Behavior

Session Duration

The session duration is set when creating the account and applies to all access requests. You can specify the duration using human-readable formats like 15m, 30m, or 1h. Due to AWS role chaining limitations:
  • Minimum: 15 minutes (15m)
  • Maximum: 1 hour (1h)

Session Tracking

Infisical tracks:
  • When the session was created
  • Who accessed which role
  • When the session expires
Important: AWS Console sessions cannot be terminated early. Once a federated URL is generated, the session remains valid until the configured duration expires. However, you can revoke active sessions by modifying the role’s trust policy.

CloudTrail Integration

All actions performed in the AWS Console are logged in AWS CloudTrail. The session is identified by the RoleSessionName, which includes the user’s email address for attribution: 
arn:aws:sts::123456789012:assumed-role/pam-readonly/[email protected]
This allows you to correlate Infisical PAM sessions with CloudTrail logs for complete audit visibility.

Prerequisites

Before configuring AWS Console access in Infisical PAM, you need to set up two IAM roles in your AWS account:
  1. Resource Role - Trusted by Infisical, can assume target roles
  2. Target Role(s) - The actual roles users will use in the console
No Gateway Required: Unlike database or SSH resources, AWS Console access does not require an Infisical Gateway. Infisical communicates directly with AWS APIs.

Create the PAM Resource

The PAM Resource represents the connection between Infisical and your AWS account. It contains the Resource Role that Infisical will assume.
1

Create the Resource Role Permissions Policy

First, create an IAM policy that allows the Resource Role to assume your target roles. For simplicity, you can use a wildcard to allow assuming any role in your account:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/*"
  }]
}
Create AWS IAM Resource
For more granular control: If you want to restrict which roles the Resource Role can assume, replace the wildcard (/*) with a more specific pattern. For example:
  • arn:aws:iam::<YOUR_ACCOUNT_ID>:role/pam-* to only allow roles with the pam- prefix
  • arn:aws:iam::<YOUR_ACCOUNT_ID>:role/infisical-* to only allow roles with the infisical- prefix
This allows you to limit the blast radius of the Resource Role’s permissions.
2

Create the Resource Role with Trust Policy

Create an IAM role (e.g., InfisicalResourceRole) with:
  • The permissions policy from the previous step attached
  • The following trust policy:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<INFISICAL_AWS_ACCOUNT_ID>:root"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "sts:ExternalId": "<YOUR_INFISICAL_PROJECT_ID>"
      }
    }
  }]
}
Create AWS IAM ResourceCreate AWS IAM Resource
Security Best Practice: Always use the External ID condition. This prevents confused deputy attacks where another Infisical customer could potentially trick Infisical into assuming your role.
Infisical AWS Account IDs:
RegionAccount ID
US381492033652
EU345594589636
For Dedicated Instances: Your AWS account ID differs from the ones listed above. Please contact Infisical support to obtain your dedicated AWS account ID.
For Self-Hosted Instances: Use the AWS account ID where your Infisical instance is deployed. This is the account that hosts your Infisical infrastructure and will be assuming the Resource Role.
3

Create the Resource in Infisical

  1. Navigate to your PAM project and go to the Resources tab
  2. Click Add Resource and select AWS IAM
  3. Enter a name for the resource (e.g., production-aws)
  4. Enter the Resource Role ARN - the ARN of the role you created in the previous step Create AWS IAM Resource
Clicking Create Resource will validate that Infisical can assume the Resource Role. If the connection fails, verify:
  • The trust policy has the correct Infisical AWS account ID
  • The External ID matches your project ID
  • The role ARN is correct

Create PAM Accounts

A PAM Account represents a specific Target Role that users can request access to. You can create multiple accounts per resource, each pointing to a different target role with different permission levels.
1

Create the Target Role Trust Policy

Each target role needs a trust policy that allows your Resource Role to assume it:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/InfisicalResourceRole"
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "sts:ExternalId": "<YOUR_INFISICAL_PROJECT_ID>"
      }
    }
  }]
}
Create AWS IAM Resource
2

Create the Account in Infisical

  1. Navigate to the Accounts tab in your PAM project
  2. Click Add Account and select the AWS IAM resource you created
  3. Fill in the account details: Create AWS IAM Account
Name
string
required
A friendly name for this account (e.g., readonly, admin, developer)
Description
string
Optional description of what this account is used for
Target Role ARN
string
required
The ARN of the IAM role users will assume (e.g., arn:aws:iam::123456789012:role/pam-readonly)
Default Session Duration
string
required
Session duration using human-readable format (e.g., 15m, 30m, 1h). Minimum 15 minutes, maximum 1 hour.
Due to AWS role chaining limitations, the maximum session duration is 1 hour, regardless of the target role’s configured maximum session duration.

Access the AWS Console

Once your resource and accounts are configured, users can request access through Infisical: Create AWS IAM Resource
1

Navigate to Accounts

Go to the Accounts tab in your PAM project.
2

Find the Account

Find the AWS Console account you want to access.
3

Request Access

Click the Access button.Infisical will:
  1. Assume the Resource Role using your project’s External ID
  2. Assume the Target Role using role chaining
  3. Generate a federated sign-in URL
  4. Open the AWS Console in a new browser tab
The user will be signed into the AWS Console with the permissions of the Target Role.