问题
I'm trying to allow users to execute codebuild:StartBuild, while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service.
The canned policies never restrict iam:PassRole, and even use "Resource":"*", effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me.
The policy below is an excerpt – codebuild:StartBuild, codebuild:List*, etc, are all allowed.
{ "Version": "2012-10-17",
"Statement": [
{ "Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/my-codebuild-role",
"Condition": {
"StringLike": {
"iam:PassedToService": "*"
}
}
}
]
}
This policy makes codebuild:StartBuild return an error:
User: arn:aws:sts::123456789:assumed-role/MyDevRole/me@example.com
is not authorized to perform: iam:PassRole on resource:
arn:aws:iam::123456789:role/my-codebuild-role
Now, removing the Condition part of the policy makes codebuild:StartBuild succeed.
The CloudTrail logs state exactly the same, without providing any additional information, neither in that particular event, nor in events before or after it.
I have also tried variations of the Condition match, including: Specify codebuild.amazonaws.com as the service; specify codebuild.eu-west-1.amazonaws.com as the service; ditto using StringEquals; specifying a list of all AWS principals and using ForAnyValue:StringLike.
It doesn't make sense that a StringLike match on * fails, while removing the Condition altogether makes it work.
What am I doing wrong? What is AWS not telling me? Or, what is AWS doing wrong here?
来源:https://stackoverflow.com/questions/55335505/failing-to-passrole-with-iampassedtoservice-for-codebuild