英文:
trust policy when assuming roles
问题
I have a set of roles in the format hi-role1-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "12345"
}
}
}
]
}
I want to narrow it down to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345:/role/hi-role1-*",
"arn:aws:iam::12345:/role/hi-role2-*"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "12345"
}
}
}
]
}
I am not so familiar with AWS, and everything I looked at says it is not supported. I don't want to leave my trust policy wide open. Thanks for any help/suggestions!
英文:
I have a set of roles in the format hi-role1-<random> & hi-role2-<random> that need to assume h1-role3. All these roles are deployed through terraform & spinnaker and random characters are assigned at the end for role1 & role2. I am not able to come up with a trust policy that narrows down the sts to just those roles as AWS expects the complete ARN and wont let me add a wildcard like hi-role1-*. Is there anyway to make this work? This is what it looks like now
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "12345"
}
}
}
]
}
I want to narrow it down to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::12345:/role/hi-role1-*",
"arn:aws:iam::12345:/role/hi-role2-*"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalAccount": "12345"
}
}
}
]
}
I am not so familiar with AWS and everything I looked at says it is not supported. I dont want to leave my trust policy wide open. Thanks for any help/suggestions!
答案1
得分: 1
我已经包括了符合您要求的工作 IAM 策略示例,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::12345:/role/hi-role1-*",
"arn:aws:iam::12345:/role/hi-role2-*"
]
}
}
}
]
}
关键区别是使用了 StringLike 条件运算符,而在主体 ARN 中没有使用通配符。
解释
您可以使用 StringLike 条件运算符来与通配符 (*) 匹配多个字符。根据官方文档:
区分大小写的匹配。值可以包括在字符串中的多字符匹配通配符 (*) 和单字符匹配通配符 (?)。要实现部分字符串匹配,必须指定通配符。
此外,根据官方文档,您不能在主体中使用通配符:
不能使用通配符来匹配主体名称或 ARN 的一部分。
英文:
I've included an example of a working IAM policy that meets your requirements below for you.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::12345:/role/hi-role1-*",
"arn:aws:iam::12345:/role/hi-role2-*"
]
}
}
}
]
}
The key difference is using the StringLike condition operator and no wildcard in the principal ARN.
Explanation
You can use the StringLike condition operator to match multi-characters with a wildcard(*). From the official document
> Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches.
Also, you can't use a wildcard in principal from the official document
> You cannot use a wildcard to match part of a principal name or ARN.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论