Hello,

I hope you're doing well.

Thank you for reaching out to us with your concern.

From your query, it seems that you would like to allow AWS role ARN in the trust policy, instead of using IAM user arn. Please let me know if I misunderstood anything.

I would suggest you to refer the following AWS knowledge center article, to achieve your use case.

https://repost.aws/knowledge-center/lambda-function-assume-iam-role

As you mentioned that you are currently providing IAM user arn instead of IAM role arn. Hence, you must be making the request from an IAM User instead of IAM role. In order to use IAM role arn to assume a specific role B, you must need to make the request from a IAM Role A. For example, Currently you must be using IAM user to make a request Role B to assume role. In order to allow IAM role A to assume role B, you first need to Assume role A. As you are using a lambda function, you can specify IAM role for Lambda function[1] which have permission to call AssumeRole API action, after doing that your can make change in IAM role B's trust policy and allow IAM role A arn in the trust policy which is used by your lambda function.

Moreover, as I have only limited information, I would need more data to understand your use case much better. I regret for the inconvenience caused. To understand your use case further, I would request you raise a technical support case ticket, where we can go deep dive into the use case and suggest you policy based on your environment resources.

References

[1] https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html