Only allow a role to pass itself


I am trying to write a permission boundary policy that allows developers to create personal IAM roles that are only allowed to pass themselves to EC2 instances.

I'm not seeing an obvious way to write a general purpose policy for this

I tried interpolating the role ARN in the resource field, which didn't work because the field only allows using policy variables in the final segment of the ARN.

    "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "${aws:PrincipalArn}"

There doesn't seem to be a way to either retrieve the role name for use in the resource field, or the target role ARN for use in a condition statement.


P.S. I realize I could create a set of policies that each hardcode the name of the role, but I am hoping to write just a single more flexible policy because I want to use it as a permissions boundary.

1 回答

You may want to look at the following KB article and borrow some methods from it. - How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation?

profile pictureAWS
已回答 2 年前
profile pictureAWS
已审核 2 年前
  • Thank you, but this article does not answer my specific question.

  • And yet it is a the correct answer. In your question you say "I am hoping to write just a single more flexible policy" but you cannot (as you have discovered) put a variable name in the condition statement.

您未登录。 登录 发布回答。