Is it possible to specify a pattern for an AWS role Trust Relationship
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, is there any way to allow only a set of roles without being explicitly specified?
amazon-web-services amazon-iam aws-iam aws-iam-roles
asked Nov 22 '18 at 10:47
charlicharli
1,027814
add a comment |
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, is there any way to allow only a set of roles without being explicitly specified?
amazon-web-services amazon-iam aws-iam aws-iam-roles
asked Nov 22 '18 at 10:47
charlicharli
1,027814
add a comment |
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, is there any way to allow only a set of roles without being explicitly specified?
amazon-web-services amazon-iam aws-iam aws-iam-roles
asked Nov 22 '18 at 10:47
charlicharli
1,027814
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, is there any way to allow only a set of roles without being explicitly specified?
amazon-web-services amazon-iam aws-iam aws-iam-roles
amazon-web-services amazon-iam aws-iam aws-iam-roles
asked Nov 22 '18 at 10:47
charlicharli
1,027814
asked Nov 22 '18 at 10:47
charlicharli
1,027814
asked Nov 22 '18 at 10:47
charlicharli
1,027814
asked Nov 22 '18 at 10:47
charlicharli
1,027814
asked Nov 22 '18 at 10:47
charlicharli
1,027814
1,027814
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
add a comment |
This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Thanks
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.
– charli
Nov 22 '18 at 13:13
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53429229%2fis-it-possible-to-specify-a-pattern-for-an-aws-role-trust-relationship%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
add a comment |
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
add a comment |
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
answered Nov 23 '18 at 20:57
sudosudo
1,1941310
1,1941310
add a comment |
add a comment |
This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Thanks
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.
– charli
Nov 22 '18 at 13:13
add a comment |
This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Thanks
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.
– charli
Nov 22 '18 at 13:13
add a comment |
This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Thanks
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Thanks
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
answered Nov 22 '18 at 11:05
Amey PuranikAmey Puranik
83
83
Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.
– charli
Nov 22 '18 at 13:13
add a comment |
Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.
– charli
Nov 22 '18 at 13:13
Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.
– charli
Nov 22 '18 at 13:13
Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.
– charli
Nov 22 '18 at 13:13
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53429229%2fis-it-possible-to-specify-a-pattern-for-an-aws-role-trust-relationship%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
