Assumable role in an AWS cloud formation

Question

Using AWS, I'm building a cloud formation stack defining the following:

1. Several resources (for the sake of simplicity, not transcribed below)
2. A Policy called MyPolicy allowing to use those resources (for the sake of simplicity, not transcribed below)
3. A Role called MyRole submitted to that policy

The stack will be created by an admin ; and once created, the goal is to allow (from outside the stack) some users to assume MyRole in order to use the several resources.

My question: How should the role be defined in order be assumable by users (specific users would be allowed from outside the stack) ?

In AWS help page, they give an example where "Service": [ "ec2.amazonaws.com" ], meaning that an ec2 instance is allowed to assume that rôle... But I don't understand how it translates to users, and no example is given regarding that scenario.

Below is my stack definition using JSON format:

{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Resources" : {
        "MyRole" : {
            "Type": "AWS::IAM::Role",
            "RoleName": "MyRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": { "Service": [ "??" ] },
                        "Action": [ "sts:AssumeRole" ]
                    }
                ]
            },
            "ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ],
        }
    }
}

Answer 1

Good question! Simply use your root user ARN as the principal. This will allow you to control which user can assume the role using IAM. Here's an example (in YAML for my own sanity):

  AdministratorRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: administrator
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: sts:AssumeRole
          Condition:
            Bool:
              aws:MultiFactorAuthPresent: 'true'
      Path: "/"
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AdministratorAccess

  AssumeAdministratorRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: "AssumeRolePolicy-Administrator"
      Description: "Assume the administrative role"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Sid: "AssumeAdministratorRolePolicy"
          Effect: "Allow"
          Action:
          - "sts:AssumeRole"
          Resource: !GetAtt AdministratorRole.Arn

  AssumeAdministratorRoleGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: "AssumeRoleGroup-Administrator"
      ManagedPolicyArns:
      - !Ref AssumeAdministratorRolePolicy

Only thing left is to add user to the AssumeRoleGroup-Administrator group.

Bonus: I've added a condition to only allow users that have logged using MFA to assume the role.

Also, just swap your ${AWS::AccountId} for another account ID you own and you can cross-account assume roles easily.