1 Answer
- Newest
- Most votes
- Most comments
0
There is a workaround to grant permissions to assumed-role users by using the aws:userid Policy Variable and [IAM Policy Conditions] (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Condition). The approach is outlined in this AWS Blog post.
KMS/Lamba-Specific Approach:
- Create a new Role to act as the execution role for Lambda. (e.g.
lambda_test_kms_execution
) - Make sure to give the Execution role permissions to create the alias:
{
"Effect": "Allow",
"Action": "kms:CreateAlias",
"Resource": "*"
}
- Use the AWS CLI to get the Unique RoleId for the role:
aws iam get-role --role-name lambda_test_kms_execution
- Assume the output contains
"RoleId": "ARO1234567890"
-
Add statement(s) to the KMS key policy that use
Condition
to matchaws:userid
against the unique RoleId:{ "Sid": "Deny IAM User Permissions", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "kms:CreateAlias", "Resource": "*", "Condition": { "StringNotLike": { "aws:userid": "ARO1234567890:*" } } }
answered 8 years ago
Relevant content
- asked a month ago
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago