Assumable role in an AWS cloud formation


Using AWS, I’m building a cloud formation stack defining the following:

  1. Several resources (for the sake of simplicity, not transcribed below)
  2. A Policy called MyPolicy allowing to use those resources (for the sake of simplicity, not transcribed below)
  3. A Role called MyRole submitted to that policy

The stack will be created by an admin ; and once created, the goal is to allow (from outside the stack) some users to assume MyRole in order to use the several resources.

My question: How should the role be defined in order be assumable by users (specific users would be allowed from outside the stack) ?

In AWS help page, they give an example where "Service": [ "" ], meaning that an ec2 instance is allowed to assume that rôle… But I don’t understand how it translates to users, and no example is given regarding that scenario.

Below is my stack definition using JSON format:


Good question! Simply use your root user ARN as the principal. This will allow you to control which user can assume the role using IAM. Here’s an example (in YAML for my own sanity):

Only thing left is to add user to the AssumeRoleGroup-Administrator group.

Bonus: I’ve added a condition to only allow users that have logged using MFA to assume the role.

Also, just swap your ${AWS::AccountId} for another account ID you own and you can cross-account assume roles easily.

Leave a Reply