Can IAM user assume a role, if the user is not described in the Trust policy of the role?

Question

Can a role be assumed if it does not have a Trust policy? If a given IAM user has an attached identity based policy saying that he/she can call sts:AssumeRole for a given role (inside the same account), but the user is not described in the Trust policy of this role, will he/she be able to assume the role?

Usually only the resource based policy or the identity based policy should be enough to give rights for the user, but is it different for the roles?

Thanks

Answer 1

will he/she be able to assume the role?

Yes, of course she/he will be able to do it, as long the trust policy allows the account to assume the role. For example, a role has to have the trust policy of:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<account-number>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

This way, your IAM user does not need to be explicitly listed in the trust policy, but trust policy is required and at least you should specify the account which can assume it. But the drawback is that any IAM user or role from the <account-number> account that has sts:AssumeRole permissions can assume the role.

it does not have a Trust policy?

Trust policy is required, so you can't have a role without such such a policy.

Update

Lets assume you have a role with a trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxxxxx:user/UserA"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

The role can be assumed only by userA. UserB will not be able to assume this policy, regardless of his permissions.