STS Role Trust relationship

Question

I have defined a trust relationship in destination account using

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

I want to add a condition to allow only a specific user to have access to this account when using federations (STS). So I've modified the trust relationship as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:user-name": "[USER-NAME-FROM-SOURCE-ACCOUNT]"
        }
      }
    }
  ]
}

However, this condition is not getting evaluated. Is aws:user-name right in this case for verifying this condition?

Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

score 2 · Accepted Answer · answered May 29 '19 at 10:38

2

You can actually specify a specific user in the principal field if you specify the user arn, e.g.:

"Principal": { 
  "AWS": "arn:aws:iam::123456789012:user/<username>" 
},

answered May 29 '19 at 10:38

Blokje5

4,763
1
20
37

STS Role Trust relationship

1 Answers1