问题 I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently. I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix , but it doesn't work (access is denied): { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_NR_A:root" }, "Condition": { "ArnLike": { "aws:SourceArn":