It seems like you would like to grant permissions to create an IAM role with only a trust policy that trusts service principals. However, this is not possible as the actions "CreateRole" and "UpdateAssumeRolePolicy" enables users to add any AWS Service, IAM User or IAM role as a principal. Users with these permissions will be able to update a role trust relationship policy without such restrictions. It is not possible to restrict the principals specified in the role's trust relationship policy as we do not have any condition key or resource restriction that supports restrictions of those API actions.
Thank you for providing your valuable feedback on the service. We have an existing feature request to support this feature and I have added your voice to this request. While I am unable to comment on if/when this feature may get released, I request you to keep an eye on our What's New and Blog pages for any new feature announcements.
Hi, you can set up a global condition called aws:PrincipalIsAWSService which determines wether the principal is a service or not. More docs on this https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/. Let me know if it hits in the right direction
How to access multiple roles from single IAM user simultaneously?asked 4 months ago
Can I keep existing IAM users and add SSO to our accountsasked 2 years ago
Specify Individual Instance In Trust Policy Of IAM RoleAccepted Answerasked 4 months ago
can i add compliance policy to root account?asked 5 months ago
IAM users/roles/groups policies reportsAccepted Answerasked 7 months ago
How to restrict which principals can appear in a role's trust policyasked a month ago
How to assign role for a group of usersAccepted Answerasked 4 months ago
How to set up IAM roles/policies to run Fargate tasks inside a step function?asked 4 months ago
Resolving the error "Ensure IAM policies are attached only to groups or roles"asked 2 months ago
How to use IAM users, groups and roles with SSOasked 3 months ago