27

I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.

I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
      },
      "Condition": {
        "ArnLike": {
          "aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

So, is there any way to allow only a set of roles without being explicitly specified?

charli
  • 1,700
  • 1
  • 13
  • 21

3 Answers3

46

I encountered the same use-case recently. None of the responses resolved this for me.

Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace 'ArnLike' with 'stringLike' and switch 'aws:SourceArn' to use 'aws:PrincipalArn':

    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
        }
      }
    }
Mark Mc
  • 496
  • 5
  • 4
  • Did it work? Ugh, for me is not clear which `Condition` to use. Thanks! – charli May 15 '19 at 15:38
  • Thanks.. this saved my day.. any idea on where to find the list of conditions and variable that can be used. – Hitesh Garg Jul 14 '20 at 12:05
  • This is a savior! Wonder if there's any reason to not include this to AWS docs but explicitly state that it's impossible? – Max Lobur Aug 04 '20 at 13:20
  • 2
    @HiteshGarg https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html and https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html – fosrias Jan 13 '21 at 04:29
  • 1
    I had the condition of: `"ArnLike": {` `"aws:SourceArn": "arn:aws:iam:::role/my-role*"` `}` And that didn't work for me until I changed it up and use **StringLike** and **aws:PrincipalArn**. – GunWanderer Mar 22 '22 at 23:14
3

It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:

If your Principal element in a role trust policy contains an ARN that points to a specific IAM user, then that ARN is transformed to the user's unique principal ID when the policy is saved. This helps mitigate the risk of someone escalating their privileges by removing and recreating the user. You don't normally see this ID in the console, because there is also a reverse transformation back to the user's ARN when the trust policy is displayed.

sudo
  • 2,237
  • 1
  • 9
  • 14
0

This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.

Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

Thanks

Amey Puranik
  • 13
  • 4
  • Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy. – charli Nov 22 '18 at 13:13