问题
In the below rule:
{
"Condition": {
"StringLikeIfExists": {
"iam:PassedToService": "lambda.amazonaws.com"
}
},
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::${AWS::AccountId}:role/some-role*"
],
"Effect": "Allow"
}
We are using this rule for cloud formation stack creation of SAM template(sam deploy). SAM template has lambda and custom roles for lambda.
What exactly are we saying with the above rule?
回答1:
In short, the statement says that you can assign role with name that starts with some-role only to lambda service.
If you want to assign role to a service such as lambda or EC2, you need to have permission to perform iam:PassRole action.
"iam:PassedToService": "lambda.amazonaws.com" specifies which service you may pass the role to, in this case to lambda service. For example, with this condition, you will not be able to assign this role to EC2 instance.
While this will work, it would be best to use StringEquals instead of StringLikeIfExists. First, you don't need to use like since there is no variable part in the name of the service. It is simply lambda.amazonaws.com and it will stay that way. Second, you are passing this role to a service so the mentioned string will always be present, therefore there is no need to use IfExists, this is used in situations where you are specifying multiple actions in a single statement but the condition is applicable only to some of them. In such case, you can use IfExists part so that you don't have to break the statement into multiple smaller ones.
So in your case, you can write the condition like this
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
来源:https://stackoverflow.com/questions/57513257/what-action-does-iampassrole-api-perform