Is it possible to specify a pattern for an AWS role Trust Relationship


I want to allow some roles from a different account to assume a role in my account. I don’t want to specify the roles one by one, because they’re prone to change frequently.

I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn’t work (access is denied):

On the other hand, this policy works but it’s too open, as it allows any user/role in account A to assume my role:

So, is there any way to allow only a set of roles without being explicitly specified?


I encountered the same use-case recently. None of the responses resolved this for me.

Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace ‘ArnLike’ with ‘stringLike’ and switch ‘aws:SourceArn’ to use ‘aws:PrincipalArn’:

Leave a Reply