Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Defining assumed role as principal

0

Using the nodejs sdk, it seems to be using an assumed role

arn:aws:sts::000000000000:assumed-role/event-service/aws-sdk-js-session-0000000000

I'm trying to grant access for this role to access aws resources in another account

{
    "Principal": 
    {
        "AWS":"arn:aws:iam::000000000000:role/event-service"
    }
}

And use the assumed role doesn't seem practical as the session id would change.

From reading these docs https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous I don't believe wildcards are an option either so neither of these will work

{
    "Principal": 
    {
        "AWS":"arn:aws:iam::000000000000:role/event-service/*"
    }
}
{
    "Principal": 
    {
        "AWS":"arn:aws:sts::000000000000:assumed-role/event-service/*"
    }
}

Is there a way to define a principal as a role/assumed from another account when using the SDK assumed roles?

Themen
Sicherheit, Identität & Konformität
Tags
AWS-SchlüsselverwaltungsserviceSicherheit, Identität & KonformitätAWS Identity and Access ManagementIAM-Richtlinien
Sprache
English
buffalo_codes
gefragt vor 8 Monaten182 Aufrufe
1 Antwort
0

Hello there! I understand that it is not possible to use wildcard like arn:aws:sts::000000000000:assumed-role/event-service/* or "arn:aws:iam::000000000000:role/event-service/*" in the principal section of the role trust policy.

Instead , you can make the use of AWS global conditions :userid1 as below:

{ "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{Account}:root" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:userid ": "role-id:caller-specified-role-name" } } }

Here, userid is role-id:caller-specified-role-name 2

You can get the value of role-id using: A)role-id=aws iam get-role --role-name <ROLE-NAME>3 B)You can set the caller-specified-role-name value as *

AWS
SUPPORT-TECHNIKER
Ankita_D
beantwortet vor 2 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt