Wildcard is not working in condition for principal in AWS IAM Trust Policy

Asked Feb 08 '22 at 12:04

Active Feb 08 '22 at 13:27

Viewed 2,057 times

I have a trust policy:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "*"
  },
  "Action": [
    "sts:AssumeRole",
    "sts:TagSession"
  ],
  "Condition": {
    "ForAnyValue:StringLike": {
      "aws:PrincipalArn": [
        "arn:aws:sts::AccountId:assumed-role/..",
        "arn:aws:sts::AccountId:assumed-role/..another_one_*"
      ]
    }
  }
}

But with this condition, it says that "arn:aws:sts::AccountId:assumed-role/..another_one_*" is not authorized to use sts:TagSession. When I remove the condition it works correctly, so don't understand if my condition is not correct?

edited Feb 08 '22 at 13:27

Abdullah Khawer

4,461
4
29
66

asked Feb 08 '22 at 12:04

Dina Nasyrkhan

1

I tried your example and for me it is actually working, there seems to be no problem with the wildcard. My assumed role gets access to sts:TagSession. I noticed however, that it takes some time for the policy change to take effect, and during the first tries the ```aws cli``` switched back and forth between access denied and access allowed before it went stable, for some reason... – eli6 Feb 08 '22 at 14:29
IAM propagation takes a little time. – jarmod Feb 08 '22 at 23:48

Wildcard is not working in condition for principal in AWS IAM Trust Policy

0 Answers0