- Newest
- Most votes
- Most comments
I believe that the trust policy that you want is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444555666777:root",
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": [
"111222333444",
"444555666777"
]
}
}
}
]
}
where "111222333444" is the account hosting the role, assuming that you want AWS Backup to run in the same account as the role. If not, reduce the list to the single remote account, "444555666777", in the aws:PrincipalAccount condition statement. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalaccount for more information about aws:PrincipalAccount .
Hi, thanks for the answer
indeed the vendor of the solution proposes the following policy to enable the backups:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole",
}
]
}
so this should work without specifying the same account ID
then, formerly I already had the following policy working:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444555666:root",
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "444-555-666-777-888"
}
}
}
]
}
the policy of the first post is the combination of the two policies that Terraform generates. However, I'm not sure if Terraform should have separated both policies into two statements or if it's correct. Notice that in your proposal and what I have written (Terraform) the policies engine has to figure out that the "Service": "backup.amazonaws.com" line only applies to the own account and not the external account ( "AWS": "arn:aws:iam::444555666:root",). The documentation of AWS doesn't specify if there's an array matching one to one, if there's an OR condition, etc. to determine what happens in this situation, so I'm wondering if someone knows about if the split in different statements is needed and how the statement is read by the IAM in case everything is put together into one statement.
If I understand you correctly this time, then yes, you can have a statement list. Also, use the aws:SourceAccount condition to restrict AWS backup to your local account.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAWSBackupFromLocalAccount",
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"111222333444"
]
}
}
},
{
"Sid": "AllowPrincipalsFromRemoteAccount",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444555666777:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Hi, I'd need to include the "sts:ExternalId": "444-555-666-777-888" for the cross-account. However, the key point for me is if I can combine both statements into one as Terraform is generating. I don't know if then the condition applies to both principals or if the engine of aws iam is smart enough to detect the ( "sts:ExternalId": "444-555-666-777-888") as a condition only applies to the cross-account principal (and not to the service principal)
Relevant content
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago