By using AWS re:Post, you agree to the Terms of Use
/Permission boundary on IAM role trust policy/

Permission boundary on IAM role trust policy


Is there any way I can restrict IAM role trust policy, just like what Permission boundary do?

The reason I'm asking is that when creating IAM role for 3rd party OIDC provider, the most common way to validate the requestor identity is by sub claim, e.g.

"Condition": {
  "StringEquals": {
    "": "",
    "": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"

If the sub condition is omitted, the role will be open to all users in that 3rd party provider (in this case, all GitHub user). I want to give flexibility to our developer on creating their own IAM roles, but having a guardrail to prevent them creating wide-open IAM roles (just like why we have Permission boundary).

Edit: Or at least allowing us to set the default subject value for the identity provider, and let us select when creating IAM role, just like how we do for audience now

So instead of going back to edit the trust policy every time we create IAM roles, we can set the default subject condition upfront

1 Answers

Take a look at this workshop, IAM PERMISSION BOUNDARIES DELEGATING ROLE CREATION. This shows how to grant access but require the delegated role to use your permissions boundary.

answered 25 days ago
  • Thanks But this seems to be restricting the role policy, not the trust policy

    I am not going to restrict what the role can do but who can assume the role

    Can permission boundary do that?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions