Permission boundary on IAM role trust policy
Is there any way I can restrict IAM role trust policy, just like what Permission boundary do?
The reason I'm asking is that when creating IAM role for 3rd party OIDC provider, the most common way to validate the requestor identity is by sub
claim, e.g.
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
}
}
If the sub
condition is omitted, the role will be open to all users in that 3rd party provider (in this case, all GitHub user).
I want to give flexibility to our developer on creating their own IAM roles, but having a guardrail to prevent them creating wide-open IAM roles (just like why we have Permission boundary).
Edit: Or at least allowing us to set the default subject value for the identity provider, and let us select when creating IAM role, just like how we do for audience now
So instead of going back to edit the trust policy every time we create IAM roles, we can set the default subject condition upfront
Take a look at this workshop, IAM PERMISSION BOUNDARIES DELEGATING ROLE CREATION. This shows how to grant access but require the delegated role to use your permissions boundary.
Relevant questions
IAM Permission Boundary does not prevent CDK escalating privilege access?
Accepted Answerasked 2 months agoIAM role for S3 encrypted upload only
asked 3 years agoIam policy for AWS ecs task role for RDS db connection
asked 2 months agohow can i quickly troubleshoot IAM permission for a service
asked 6 months agoPermission boundary on IAM role trust policy
asked a month agoIAM Policy that allows only access to "Switch Role"
asked 2 months agoIAM role not clear for connecting API Gateway and DynamoDB
Accepted Answerasked 2 years agoMisleading AWS doc: can't create Policy for SAML's role
asked 3 years agoSpecify Individual Instance In Trust Policy Of IAM Role
Accepted Answerasked 2 months agoUsing EC2 IAM role principal in SecretsManager resource policy together with autoscaling
Accepted Answerasked 6 months ago
Thanks But this seems to be restricting the role policy, not the trust policy
I am not going to restrict what the role can do but who can assume the role
Can permission boundary do that?