- Newest
- Most votes
- Most comments
Hello,
It seems like you would like to grant permissions to create an IAM role with only a trust policy that trusts service principals. However, this is not possible as the actions "CreateRole" and "UpdateAssumeRolePolicy" enables users to add any AWS Service, IAM User or IAM role as a principal. Users with these permissions will be able to update a role trust relationship policy without such restrictions. It is not possible to restrict the principals specified in the role's trust relationship policy as we do not have any condition key or resource restriction that supports restrictions of those API actions.
Thank you for providing your valuable feedback on the service. We have an existing feature request to support this feature and I have added your voice to this request. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New and Blog pages for any new feature announcements.
Resources:
-https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html
-https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAssumeRolePolicy.html
-https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html
Hi, you can set up a global condition called aws:PrincipalIsAWSService which determines wether the principal is a service or not. More docs on this https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/. Let me know if it hits in the right direction
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Definitely a good thing to know, and it was the first time I've seen that, so thanks for pointing it out! If I understand correctly, there would not be much point to using this on a role permissions policy because the principal would always be the role itself, not whatever entity assumed that role. I think that also means that there wouldn't be much use for it in a permissions boundary, permissions set, or a service control policy either, as those all constrain only permissions policies. (continued in next comment)
It would be useful in a trust policy if you wanted to limit use of a role to either humans or non-humans. Do I have that right?