Permission boundary on IAM role trust policy

1

Is there any way I can restrict IAM role trust policy, just like what Permission boundary do?

The reason I'm asking is that when creating IAM role for 3rd party OIDC provider, the most common way to validate the requestor identity is by sub claim, e.g.

"Condition": {
  "StringEquals": {
    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
    "token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
  }
}

If the sub condition is omitted, the role will be open to all users in that 3rd party provider (in this case, all GitHub user). I want to give flexibility to our developer on creating their own IAM roles, but having a guardrail to prevent them creating wide-open IAM roles (just like why we have Permission boundary).

Edit: Or at least allowing us to set the default subject value for the identity provider, and let us select when creating IAM role, just like how we do for audience now

So instead of going back to edit the trust policy every time we create IAM roles, we can set the default subject condition upfront

1개 답변
-4

Take a look at this workshop, IAM PERMISSION BOUNDARIES DELEGATING ROLE CREATION. This shows how to grant access but require the delegated role to use your permissions boundary.

profile pictureAWS
전문가
kentrad
답변함 2년 전
  • Thanks But this seems to be restricting the role policy, not the trust policy

    I am not going to restrict what the role can do but who can assume the role

    Can permission boundary do that?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠