问题
I'm working on an application and I'm struggling about an issue. My application has Lambdas and DynamoDBs services in which the former needs permissions to call the latter. I solve this creating a role with Principal equals Service: lambda.amazonaws.com.
I'd like to give access to other developers to create roles too in a way which allows developers to create only roles whose principal is a service or federated and deny if it is user or account.
For example, this role would be allowed:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Federated: cognito-identity.amazonaws.com
Action:
- sts:AssumeRoleWithWebIdentity
Path: ...
Policies: ...
and this would not be allowed:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS: arn:aws:iam::<accountid>:user/<username>
Path: ...
Policies: ...
I'm trying to reach this because a user could create a role with admin access and assume it.
Also, is there another way to achieve to solve this issue?
来源:https://stackoverflow.com/questions/55204535/aws-iam-allow-user-create-roles-only-for-services-assume