By using AWS re:Post, you agree to the Terms of Use
/Service Control Policy/

Questions tagged with Service Control Policy

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

deny access to a specific idp provider while creating an iam role

Hello All, Using Landing Zone. Each sub account has its own admin users. I would like to implement this as a service control policy from the main account. We have a job workflow in github actions which requests an access token from the AWS IdP provider that we created at our end. This short lived access token is then passed on to an IAM role which has been mentioned in the github workflow. As part of creating the trust relationship of this IAM role, our ORG repo needs to be mentioned. However, this trust relationship can either be edited or a 2nd role with web identity federation can be created to bypass this trust relationship. This way the role can actually be used on via a public repo as well. I would like to deny access to a specific IdP provider while creating an IAM role. sample code ``` { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:ORG/*" } } } ] } ``` Using the UpdateAssumeRolePolicy IAM action I can deny any the ability to edit the trust relationship, however, as a work around, admin users can still create a role with a custom string. Let me know if you need any further information Thanks dsids
1
answers
0
votes
33
views
asked 6 days ago
  • 1
  • 90 / page