iam:DeleteRole not working with iam:PermissionBoundary

0

iam:CreateRole etc. have to be restricted with the PermissionBoundary to work in restricting the createable roles. But the idea was, why not apply the iam:DeleteRole with the same. This would automatically lead to restricted deletion of roles.

But the occurring problem is that IAM says I don't have the Permission iam:DeleteRole??? Why, does the iam:DeleteRole Permission not work with PermissionBoundary condition?

Here is my IAM Policy:

{
			"Sid": "EnforcePermissionBoundary",
			"Effect": "Allow",
			"Action": [
				"iam:AttachRolePolicy",
				"iam:CreateRole",
				"iam:PutRolePolicy",
				"iam:DeleteRolePolicy",
				"iam:DetachRolePolicy",
				"iam:PutRolePermissionsBoundary",
				"iam:DeleteRole"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"iam:PermissionsBoundary": [
						"arn:aws:iam::*:policy/<PermissionBoundary>"
					]
				}
			}
		},
		{
			"Sid": "BlockPermissionBoundaryDeletion",
			"Effect": "Deny",
			"Action": [
				"iam:DeletePolicy",
				"iam:CreatePolicyVersion",
				"iam:DeletePolicyVersion",
				"iam:SetDefaultPolicyVersion"
			],
			"Resource": "arn:aws:iam::*:policy/<PermissionBoundary>"
		},
		{
			"Sid": "BlockDetachingPermissionBoundary",
			"Effect": "Deny",
			"Action": [
				"iam:DeleteRolePermissionsBoundary"
			],
			"Resource": [
				"*"
			]
		}

The Error Report is: {"__type":"com.amazon.coral.service#AccessDeniedException","Message":"User: arn:aws:sts::*:assumed-role// is not authorized to perform: iam:DeleteRole on resource: role ** because no identity-based policy allows the iam:DeleteRole action"}

The detaching/deletion of attached Policies is working but not the Deletion.

I know that one solution would be extra restriction of the iam:DeleteRole Permission and without the PermissionBoundary... but the Question is why is it not working at all??

1 Answer
0
Accepted Answer

You can see from the Actions table that the DeleteRole action does not support the iam:PermissionsBoundary condition.

profile pictureAWS
EXPERT
kentrad
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions