Is there any way I can restrict IAM role trust policy, just like what Permission boundary do?
The reason I'm asking is that when creating IAM role for 3rd party OIDC provider, the most common way to validate the requestor identity is by sub
claim, e.g.
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:sub": "repo:octo-org/octo-repo:ref:refs/heads/octo-branch"
}
}
If the sub
condition is omitted, the role will be open to all users in that 3rd party provider (in this case, all GitHub user).
I want to give flexibility to our developer on creating their own IAM roles, but having a guardrail to prevent them creating wide-open IAM roles (just like why we have Permission boundary).
Edit:
Or at least allowing us to set the default subject value for the identity provider, and let us select when creating IAM role, just like how we do for audience now
So instead of going back to edit the trust policy every time we create IAM roles, we can set the default subject condition upfront
Thanks But this seems to be restricting the role policy, not the trust policy
I am not going to restrict what the role can do but who can assume the role
Can permission boundary do that?