Question:
Using AWS, I’m building a cloud formation stack defining the following:
- Several resources (for the sake of simplicity, not transcribed below)
- A Policy called
MyPolicyallowing to use those resources (for the sake of simplicity, not transcribed below) - A Role called
MyRolesubmitted to that policy
The stack will be created by an admin ; and once created, the goal is to allow (from outside the stack) some users to assume MyRole in order to use the several resources.
My question: How should the role be defined in order be assumable by users (specific users would be allowed from outside the stack) ?
In AWS help page, they give an example where "Service": [ "ec2.amazonaws.com" ], meaning that an ec2 instance is allowed to assume that rôle… But I don’t understand how it translates to users, and no example is given regarding that scenario.
Below is my stack definition using JSON format:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
{ "AWSTemplateFormatVersion" : "2010-09-09", "Resources" : { "MyRole" : { "Type": "AWS::IAM::Role", "RoleName": "MyRole", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "??" ] }, "Action": [ "sts:AssumeRole" ] } ] }, "ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ], } } } |
Answer:
Good question! Simply use your root user ARN as the principal. This will allow you to control which user can assume the role using IAM. Here’s an example (in YAML for my own sanity):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
AdministratorRole: Type: AWS::IAM::Role Properties: RoleName: administrator AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: AWS: !Sub arn:aws:iam::${AWS::AccountId}:root Action: sts:AssumeRole Condition: Bool: aws:MultiFactorAuthPresent: 'true' Path: "/" ManagedPolicyArns: - arn:aws:iam::aws:policy/AdministratorAccess AssumeAdministratorRolePolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: "AssumeRolePolicy-Administrator" Description: "Assume the administrative role" PolicyDocument: Version: "2012-10-17" Statement: - Sid: "AssumeAdministratorRolePolicy" Effect: "Allow" Action: - "sts:AssumeRole" Resource: !GetAtt AdministratorRole.Arn AssumeAdministratorRoleGroup: Type: AWS::IAM::Group Properties: GroupName: "AssumeRoleGroup-Administrator" ManagedPolicyArns: - !Ref AssumeAdministratorRolePolicy |
Only thing left is to add user to the AssumeRoleGroup-Administrator group.
Bonus: I’ve added a condition to only allow users that have logged using MFA to assume the role.
Also, just swap your ${AWS::AccountId} for another account ID you own and you can cross-account assume roles easily.