Only allow a role to pass itself

Question

I am trying to write a permission boundary policy that allows developers to create personal IAM roles that are only allowed to pass themselves to EC2 instances.

I'm not seeing an obvious way to write a general purpose policy for this

I tried interpolating the role ARN in the resource field, which didn't work because the field only allows using policy variables in the final segment of the ARN.

```
{
    "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "${aws:PrincipalArn}"
}
```

There doesn't seem to be a way to either retrieve the role **name** for use in the resource field, or the target role ARN for use in a condition statement.

Thanks

P.S. I realize I could create a set of policies that each hardcode the name of the role, but I am hoping to write just a single more flexible policy because I want to use it as a permissions boundary.

Answer

You may want to look at the following KB article and borrow some methods from it. - [How can I use permissions boundaries to limit the scope of IAM users and roles, and also prevent privilege escalation?](https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/)

Only allow a role to pass itself

Relevanter Inhalt