By using AWS re:Post, you agree to the Terms of Use

Trust relationship between a role in global AWS and users/roles in China AWS region

0

Hi,

Consider the following trust relationship for a role in AWS global:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "SOME-EXTERNAL-ID"
        }
      }
    }
  ]
}

Will it be possible to add an account ID located in one of the AWS China regions? Will it be trusted by the role assigned with the above-mentioned trust policy?

Thanks in advance.

1 Answer
2

IAM roles and resource-based policies delegate access across accounts within a single partition. AWS Global and AWS China use different partitions. A partition is a group of AWS Regions. Each AWS account is scoped to one partition.

The following are the supported partitions:

  • aws - AWS Regions
  • aws-cn - China Regions
  • aws-us-gov - AWS GovCloud (US) Regions

References:

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions