I am trying to write a permission boundary policy that allows developers to create personal IAM roles that are only allowed to pass themselves to EC2 instances.
I'm not seeing an obvious way to write a general purpose policy for this
I tried interpolating the role ARN in the resource field, which didn't work because the field only allows using policy variables in the final segment of the ARN.
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "${aws:PrincipalArn}"
}
There doesn't seem to be a way to either retrieve the role name for use in the resource field, or the target role ARN for use in a condition statement.
Thanks
P.S. I realize I could create a set of policies that each hardcode the name of the role, but I am hoping to write just a single more flexible policy because I want to use it as a permissions boundary.
Thank you, but this article does not answer my specific question.
And yet it is a the correct answer. In your question you say "I am hoping to write just a single more flexible policy" but you cannot (as you have discovered) put a variable name in the condition statement.