I have a lambda that needs quite a lot of permissions because it automatically kills temporary resources, so I have assigned the managed policy AdministratorAccess. What I want to do is to restrict this role to only be assumed a specific lambda function. I have tried to set a condition on sts:AssumeRole, but when trying to assign this role to a lambda I get an error:
Your role is not ready, or cannot be assumed by Lambda. Please wait up to a minute and try again.
Maybe relevant; the lambda and role CF-stack is deployed with CodePipeline that uses a role CICD-Pipeline. Have anyone done this? This is what I have so far:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: common-delete-stack-Role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: [lambda.amazonaws.com]
Action: [sts:AssumeRole]
Condition:
StringEquals:
aws:SourceArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:common-delete-stack
ManagedPolicyArns: [arn:aws:iam::aws:policy/AdministratorAccess]
I've also tried this Condition with the same result.
StringEquals:
lambda:FunctionArn: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:common-delete-stack
