1

I have created policy like below. I want to allow to CreateRole with snowflake_access policy only. Every time I'm executing the lambda code I can also attach other policies to this role. I don't know why because clearly I have denied other policies and allow only one. Can someone help me with that?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:CreateRole",
            "Resource": "arn:aws:iam::*:role/snowflake-role*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": [
                "arn:aws:iam::7882...:policy/snowflake_access",
                "arn:aws:iam::*:role/snowflake-role*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Deny",
            "Action": "iam:*",
            "Resource": [
                "arn:aws:iam::*:role/snowflake-role*"
            ]
        }
    ]
}
jarmod
  • 71,565
  • 16
  • 115
  • 122
wilkux
  • 109
  • 1
  • 8

1 Answers1

2

If you look at actions defined by IAM, you will see a table that maps actions to, among other things, resource types and condition keys. For example:

Action Resource Type(s) Condition Keys
AttachRolePolicy role* iam:PolicyARN
iam:PermissionsBoundary
CreateRole role* iam:PermissionsBoundary
aws:TageKeys
aws:RequestTage/${TagKey}

Note specifically that the AttachRolePolicy action applies to IAM roles only, not to policies. You've indicated a role ARN (snowflake-role*) and a policy ARN (snowflake_access), but only the former is legal here.

The same table entry also indicates that iam:PolicyARN is a valid condition key for the AttachRolePolicy action. So, to indicate a policy ARN, you can add a condition key of iam:PolicyARN, something like this.

{
    "Sid": "sid1",
    "Effect": "Allow",
    "Action": "iam:AttachRolePolicy",
    "Resource": [
        "arn:aws:iam::*:role/snowflake-role*"
    ],
    "Condition": {
        "StringEquals": {
            "iam:PolicyARN": "arn:aws:iam::7882...:policy/snowflake_access"
        }
    }
},

I'm not sure this resolves all of the problems you have, but I think it's one part of the problem.

jarmod
  • 71,565
  • 16
  • 115
  • 122