Menu
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, is there any way to allow only a set of roles without being explicitly specified?
459
Trust relationship – This policy defines which principals can assume the role, and under which conditions. This is sometimes referred to as a resource-based policy for the IAM role.
Each role has a set of permissions for making AWS service requests, and a role is not associated with a specific user or group. Instead, trusted entities such as identity providers or AWS services assume roles. For more information, see IAM roles.
In the navigation pane of the IAM console, choose Roles. The console displays the roles for your account. Choose the name of the role that you want to modify, and select the Trust relationships tab on the details page. Choose Edit trust relationship.
A role trust policy is a required resource-based policy that is attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services. Permissions policy. A permissions document in JSON format in which you define what actions and resources the role can use.
I encountered the same use-case recently. None of the responses resolved this for me.
Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace 'ArnLike' with 'stringLike' and switch 'aws:SourceArn' to use 'aws:PrincipalArn':
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
}
}
}
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that points to a specific IAM user, then that ARN is transformed to the user's unique principal ID when the policy is saved. This helps mitigate the risk of someone escalating their privileges by removing and recreating the user. You don't normally see this ID in the console, because there is also a reverse transformation back to the user's ARN when the trust policy is displayed.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
