1 Answer
- Newest
- Most votes
- Most comments
1
So I figured it out, while the trusted policy allows for you to have:
"StringEquals": {
"aws:PrincipalOrgID": "o-12345"
}
PrincipalOrgID
isn't allowed for "Service": "logs.us-east-1.amazonaws.com"
Which is less then great, so I have to have the following and update everytime a new account is added to our Org:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-1.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:SourceArn": [
"arn:aws:logs:*:11111111064:*",
"arn:aws:logs:*:11111111608:*",
"arn:aws:logs:*:11111111423:*",
"arn:aws:logs:*:11111111580:*",
"arn:aws:logs:*:11111111684:*",
"arn:aws:logs:*:11111111264:*",
"arn:aws:logs:*:11111111864:*",
"arn:aws:logs:*:11111111735:*",
"arn:aws:logs:*:11111111215:*",
"arn:aws:logs:*:11111111760:*",
"arn:aws:logs:*:11111111466:*",
"arn:aws:logs:*:11111111704:*",
"arn:aws:logs:*:11111111395:*",
"arn:aws:logs:*:11111111653:*",
"arn:aws:logs:*:11111111392:*",
"arn:aws:logs:*:11111111413:*",
"arn:aws:logs:*:11111111796:*",
"arn:aws:logs:*:11111111914:*",
"arn:aws:logs:*:11111111446:*",
"arn:aws:logs:*:11111111690:*",
"arn:aws:logs:*:11111111199:*",
"arn:aws:logs:*:11111111136:*",
"arn:aws:logs:*:11111111667:*",
"arn:aws:logs:*:11111111731:*",
"arn:aws:logs:*:11111111723:*",
"arn:aws:logs:*:11111111459:*",
"arn:aws:logs:*:11111111365:*",
"arn:aws:logs:*:11111111270:*",
"arn:aws:logs:*:11111111879:*",
"arn:aws:logs:*:11111111658:*",
"arn:aws:logs:*:11111111744:*",
"arn:aws:logs:*:11111111601:*",
"arn:aws:logs:*:11111111804:*",
"arn:aws:logs:*:11111111462:*",
"arn:aws:logs:*:11111111339:*",
"arn:aws:logs:*:11111111975:*"
]
}
}
}
]
}
Which you can see a lot of accounts.
answered 2 years ago
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thanks WonderPhil. I spent hours on this yesterday as I had done exactly the same as you with the organization id in the trusted policy. Removing it got it working. Nice one.