1 Answer
0
Accepted Answer
I could not find a way to do this and this article confirms this, How to use trust policies with IAM roles:
Several customers have asked if it’s possible to design a trust policy for an IAM role such that it can only be passed to a specific Amazon EC2 instance. This isn’t directly possible. You cannot place the Amazon Resource Name (ARN) for an EC2 instance into the Principal of a trust policy, nor can you use tag-based condition statements in the trust policy to limit the ability for the role to be used by a specific resource.
The only option is to manage access to the iam:PassRole action within the permission policy for those IAM principals you expect to be attaching IAM roles to AWS resources. This special Action is evaluated when a principal tries to attach another IAM role to an AWS service or AWS resource.
Relevant questions
Notice about Trust Policy Evaluation changing affecting a Cognito Role
asked 7 days agoDynamically assign an IAM Role between an IAM user and and EC2 instance
asked 7 months agoHow can you restrict EC2 instances to assuming an IAM role based on the instance's tags?
asked 9 months agoHow to restrict which principals can appear in a role's trust policy
asked 2 months agoiam role trust policy behavior
Accepted Answerasked 2 months agoPermission boundary on IAM role trust policy
asked 4 months agoEFS File system policy with IAM Instance Profile collision
Accepted Answerasked 8 months agoUsing EC2 IAM role principal in SecretsManager resource policy together with autoscaling
Accepted Answerasked 9 months agoSpecify Individual Instance In Trust Policy Of IAM Role
Accepted Answerasked 5 months agoMisleading AWS doc: can't create Policy for SAML's role
asked 3 years ago
