iam:CreateRole etc. have to be restricted with the PermissionBoundary to work in restricting the createable roles.
But the idea was, why not apply the iam:DeleteRole with the same. This would automatically lead to restricted deletion of roles.
But the occurring problem is that IAM says I don't have the Permission iam:DeleteRole???
Why, does the iam:DeleteRole Permission not work with PermissionBoundary condition?
Here is my IAM Policy:
{
"Sid": "EnforcePermissionBoundary",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:DeleteRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PermissionsBoundary": [
"arn:aws:iam::*:policy/<PermissionBoundary>"
]
}
}
},
{
"Sid": "BlockPermissionBoundaryDeletion",
"Effect": "Deny",
"Action": [
"iam:DeletePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": "arn:aws:iam::*:policy/<PermissionBoundary>"
},
{
"Sid": "BlockDetachingPermissionBoundary",
"Effect": "Deny",
"Action": [
"iam:DeleteRolePermissionsBoundary"
],
"Resource": [
"*"
]
}
The Error Report is:
{"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::*:assumed-role// is not authorized to perform: iam:DeleteRole on resource: role ** because no identity-based policy allows the iam:DeleteRole action"}
The detaching/deletion of attached Policies is working but not the Deletion.
I know that one solution would be extra restriction of the iam:DeleteRole Permission and without the PermissionBoundary... but the Question is why is it not working at all??