- Newest
- Most votes
- Most comments
Hey Denis,
The role self-assumption behavior may originate from AWS Amplify if you use that service, which uses Cognito to generate AWS IAM Role sessions for administrative purposes. The AWS Amplify CLI tool performs a self-assume role operation when it performs certain admin actions.
If you're not using AWS Amplify, it could be that someone running code with the credentials from your role in question performed a self assume role operation.
For now here is an example role-trust policy that you could use to explicitly allow this behavior:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CognitoAssumeRolePolicy",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<YOUR_COGNITO_AUD_VALUE>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
},
{
"Sid": "SelfAssumeRolePolicy",
"Effect": "Allow",
"Principal": {
"AWS": "<YOUR_ROLE_ARN_OR_ID>"
},
"Action": "sts:AssumeRole"
}
]
}
If you need help understanding the self assume role usage from this role, the blog post has some example queries to help find the events. If you're seeing a Role Session Name of 'AmplifyAdmin' for the self assume role events for this role, that would be a strong indicator that the events originated from AWS Amplify's tool.
Newer roles created by amplify already have the above additional statement included in their role trust policy.
Thanks,
I very much appreciate the response. We do use Amplify.
Is this an non-issue for Amplify as Amplify will do things correctly going forward? Or do we need to go back and fix the role or some other things done by Amplify in the past for our account?
Jumping in here from the side -
So if you have the part:
{ "Sid": "SelfAssumeRolePolicy", "Effect": "Allow", "Principal": { "AWS": "<YOUR_ROLE_ARN_OR_ID>" }, "Action": "sts:AssumeRole" }
in your Trust relationship tab, you should be covered for the 30th of June?
Relevant content
- asked 6 months ago
- asked 2 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
New deployments of Amplify (since roughly mid summer) will have a role trust policy like the above and already be covered. I've been working closely with the Amplify team and while they haven't finalized their rollout plan for pre-existing customers, it's likely that they'll ask you to make that addition to your role trust policy.