By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Defining assumed role as principal

0

Using the nodejs sdk, it seems to be using an assumed role

arn:aws:sts::000000000000:assumed-role/event-service/aws-sdk-js-session-0000000000

I'm trying to grant access for this role to access aws resources in another account

{
    "Principal": 
    {
        "AWS":"arn:aws:iam::000000000000:role/event-service"
    }
}

And use the assumed role doesn't seem practical as the session id would change.

From reading these docs https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-anonymous I don't believe wildcards are an option either so neither of these will work

{
    "Principal": 
    {
        "AWS":"arn:aws:iam::000000000000:role/event-service/*"
    }
}
{
    "Principal": 
    {
        "AWS":"arn:aws:sts::000000000000:assumed-role/event-service/*"
    }
}

Is there a way to define a principal as a role/assumed from another account when using the SDK assumed roles?

Topics
Security, Identity, & Compliance
Tags
AWS Key Management ServiceSecurity, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
buffalo_codes
asked 8 months ago169 views
1 Answer
0

Hello there! I understand that it is not possible to use wildcard like arn:aws:sts::000000000000:assumed-role/event-service/* or "arn:aws:iam::000000000000:role/event-service/*" in the principal section of the role trust policy.

Instead , you can make the use of AWS global conditions :userid1 as below:

{ "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{Account}:root" }, "Action": "sts:AssumeRole", "Condition": { "StringLike": { "aws:userid ": "role-id:caller-specified-role-name" } } }

Here, userid is role-id:caller-specified-role-name 2

You can get the value of role-id using: A)role-id=aws iam get-role --role-name <ROLE-NAME>3 B)You can set the caller-specified-role-name value as *

AWS
SUPPORT ENGINEER
Ankita_D
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content