0

I have a set of roles in the format hi-role1- & hi-role2- that need to assume h1-role3. All these roles are deployed through terraform & spinnaker and random characters are assigned at the end for role1 & role2. I am not able to come up with a trust policy that narrows down the sts to just those roles as AWS expects the complete ARN and wont let me add a wildcard like hi-role1-*. Is there anyway to make this work? This is what it looks like now

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalAccount": "12345"
                }
            }
        }
    ]
}

I want to narrow it down to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345:/role/hi-role1-*",
                                        "arn:aws:iam::12345:/role/hi-role2-*"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalAccount": "12345"
                }
            }
        }
    ]
}

I am not so familiar with AWS and everything I looked at says it is not supported. I dont want to leave my trust policy wide open. Thanks for any help/suggestions!

NetwrkNewbie
  • 1

1 Answers1

1

I've included an example of a working IAM policy that meets your requirements below for you.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::12345:/role/hi-role1-*",
                        "arn:aws:iam::12345:/role/hi-role2-*"
                    ]
                }
            }
        }
    ]
}

The key difference is using the StringLike condition operator and no wildcard in the principal ARN.

Explanation

You can use the StringLike condition operator to match multi-characters with a wildcard(*). From the official document

Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches.

Also, you can't use a wildcard in principal from the official document

You cannot use a wildcard to match part of a principal name or ARN.

augustkang
  • 51
  • 1
  • 4