Is it possible to specify a pattern for an AWS role Trust Relationship












0















I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.



I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):



{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}


On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:



{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}


So, is there any way to allow only a set of roles without being explicitly specified?










share|improve this question



























    0















    I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.



    I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):



    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
    },
    "Condition": {
    "ArnLike": {
    "aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
    }
    },
    "Action": "sts:AssumeRole"
    }
    ]
    }


    On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:



    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
    },
    "Action": "sts:AssumeRole"
    }
    ]
    }


    So, is there any way to allow only a set of roles without being explicitly specified?










    share|improve this question

























      0












      0








      0








      I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.



      I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
      "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
      },
      "Condition": {
      "ArnLike": {
      "aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
      }
      },
      "Action": "sts:AssumeRole"
      }
      ]
      }


      On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
      "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
      },
      "Action": "sts:AssumeRole"
      }
      ]
      }


      So, is there any way to allow only a set of roles without being explicitly specified?










      share|improve this question














      I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.



      I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
      "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
      },
      "Condition": {
      "ArnLike": {
      "aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
      }
      },
      "Action": "sts:AssumeRole"
      }
      ]
      }


      On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:



      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Effect": "Allow",
      "Principal": {
      "AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
      },
      "Action": "sts:AssumeRole"
      }
      ]
      }


      So, is there any way to allow only a set of roles without being explicitly specified?







      amazon-web-services amazon-iam aws-iam aws-iam-roles






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 22 '18 at 10:47









      charlicharli

      1,027814




      1,027814
























          2 Answers
          2






          active

          oldest

          votes


















          1














          It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:




          If your Principal element in a role trust policy contains an ARN that
          points to a specific IAM user, then that ARN is transformed to the
          user's unique principal ID when the policy is saved. This helps
          mitigate the risk of someone escalating their privileges by removing
          and recreating the user. You don't normally see this ID in the
          console, because there is also a reverse transformation back to the
          user's ARN when the trust policy is displayed.







          share|improve this answer































            0














            This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.



            Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html



            Thanks






            share|improve this answer
























            • Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.

              – charli
              Nov 22 '18 at 13:13











            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53429229%2fis-it-possible-to-specify-a-pattern-for-an-aws-role-trust-relationship%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:




            If your Principal element in a role trust policy contains an ARN that
            points to a specific IAM user, then that ARN is transformed to the
            user's unique principal ID when the policy is saved. This helps
            mitigate the risk of someone escalating their privileges by removing
            and recreating the user. You don't normally see this ID in the
            console, because there is also a reverse transformation back to the
            user's ARN when the trust policy is displayed.







            share|improve this answer




























              1














              It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:




              If your Principal element in a role trust policy contains an ARN that
              points to a specific IAM user, then that ARN is transformed to the
              user's unique principal ID when the policy is saved. This helps
              mitigate the risk of someone escalating their privileges by removing
              and recreating the user. You don't normally see this ID in the
              console, because there is also a reverse transformation back to the
              user's ARN when the trust policy is displayed.







              share|improve this answer


























                1












                1








                1







                It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:




                If your Principal element in a role trust policy contains an ARN that
                points to a specific IAM user, then that ARN is transformed to the
                user's unique principal ID when the policy is saved. This helps
                mitigate the risk of someone escalating their privileges by removing
                and recreating the user. You don't normally see this ID in the
                console, because there is also a reverse transformation back to the
                user's ARN when the trust policy is displayed.







                share|improve this answer













                It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:




                If your Principal element in a role trust policy contains an ARN that
                points to a specific IAM user, then that ARN is transformed to the
                user's unique principal ID when the policy is saved. This helps
                mitigate the risk of someone escalating their privileges by removing
                and recreating the user. You don't normally see this ID in the
                console, because there is also a reverse transformation back to the
                user's ARN when the trust policy is displayed.








                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 23 '18 at 20:57









                sudosudo

                1,1941310




                1,1941310

























                    0














                    This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.



                    Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html



                    Thanks






                    share|improve this answer
























                    • Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.

                      – charli
                      Nov 22 '18 at 13:13
















                    0














                    This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.



                    Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html



                    Thanks






                    share|improve this answer
























                    • Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.

                      – charli
                      Nov 22 '18 at 13:13














                    0












                    0








                    0







                    This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.



                    Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html



                    Thanks






                    share|improve this answer













                    This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.



                    Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html



                    Thanks







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Nov 22 '18 at 11:05









                    Amey PuranikAmey Puranik

                    83




                    83













                    • Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.

                      – charli
                      Nov 22 '18 at 13:13



















                    • Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.

                      – charli
                      Nov 22 '18 at 13:13

















                    Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.

                    – charli
                    Nov 22 '18 at 13:13





                    Thanks for your answer, but I don't want to rely ONLY in the permissions set in the roles that belong to ACCOUNT_NR_A, as any user can create a policy granting himself the usage of my role.Actually that's why I want to use a patter-like policy.

                    – charli
                    Nov 22 '18 at 13:13


















                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53429229%2fis-it-possible-to-specify-a-pattern-for-an-aws-role-trust-relationship%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                    Alcedinidae

                    Origin of the phrase “under your belt”?