Question:
I want to allow some roles from a different account to assume a role in my account. I don’t want to specify the roles one by one, because they’re prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn’t work (access is denied):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_NR_A:root" }, "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix" } }, "Action": "sts:AssumeRole" } ] } |
On the other hand, this policy works but it’s too open, as it allows any user/role in account A to assume my role:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_NR_A:root" }, "Action": "sts:AssumeRole" } ] } |
So, is there any way to allow only a set of roles without being explicitly specified?
Answer:
I encountered the same use-case recently. None of the responses resolved this for me.
Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace ‘ArnLike’ with ‘stringLike’ and switch ‘aws:SourceArn’ to use ‘aws:PrincipalArn’:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam:: }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:: } } } |