0

I have other accounts running services (on EC2 etc).

I have one account running a metrics UI site as part of an ECS cluster that assumes a role while operating (arn:aws:sts::1111111111:assumed-role/initialassumedrole)

The other accounts have a role for accessing cloudwatch logs etc:

{
  "CloudWatchConsumerRole": {
    "Type": "AWS::IAM::Role",
    "Properties": {
      "RoleName": "CloudWatchConsumerRole",
      "AssumeRolePolicyDocument": {
        "Version": "2012-10-17",
        "Statement": ...
      },
      "Policies": [
        {
          "PolicyName": "accessCloudWatchMetricsPolicy",
          "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
              {
                "Sid": "AllowReadingsMetricsFromCloudWatch",
                "Effect": "Allow",
                "Action": [
                  "cloudwatch:DescribeAlarmsForMetric",
                  "cloudwatch:ListMetrics",
                  "cloudwatch:GetMetricStatistics",
                  "cloudwatch:GetMetricData"
                ],
                "Resource": "*"
              },
              {
                "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
                "Effect": "Allow",
                "Action": [
                  "ec2:DescribeTags",
                  "ec2:DescribeInstances",
                  "ec2:DescribeRegions"
                ],
                "Resource": "*"
              },
              {
                "Sid": "AllowReadingResourcesForTags",
                "Effect": "Allow",
                "Action": "tag:GetResources",
                "Resource": "*"
              }
            ]
          }
        }
      ]
    }
  }
}

The cloudformation docs state that for the principal to be an assumed role, you must specify a session (i.e. you cannot use a wildcard.)

It also says that if the principal is a role (not an assumed role), then you can use wildcards to match the name of the role.

However, can I use wildcards for assumed roles, i.e. set the statement in the cloudwatchconsumerrole to something like this:

 "Statement": [
          {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {
              "AWS": [
                "arn:aws:sts::1111111111:assumed-role/initialassumedrole*"
              ]
            }
          }
        ]

Unfortunately I'm not able to test this out easily, so really relying on the experience of all you wonderful folk.

Jordan Mackie
  • 101
  • 3

1 Answers1

0

I think you can test it out. You connect to STS and retrieve a temporary credential. Use that credential with cli in order to test the assume role.

Linh
  • 1
  • The issue with testing was due to restrictions at my work I wasn't able to set up another account to test with easily. I eventually managed to get one test out of what I described there and it didn't seem to be successful. – Jordan Mackie Dec 06 '19 at 11:10
  • 1
    You don't need to set up another account in order to test it out. If you can retrieve the temporary credential from STS, you are good to move on. When you create the assume role, you have to specify which account can use that role and then you provide ARN to another account owner so they can access the resource on your account. – Linh Dec 09 '19 at 10:21