- Newest
- Most votes
- Most comments
I believe the reason your second policy variation with the root principal isn't working is because of the special set of rules that apply to just two types of resource-based policies in AWS, one being these IAM role trust policies (also known as assume role policies) and the other being KMS key policies. The rules are different from those that apply to all other resource-based policies in AWS.
I think the second variation should work, if you additionally grant the corresponding sts:AssumeRole
permission in the identity-based policy of the role. You can avoid the self-referencing problem in CFN for the identity-based policy by declaring the policy as an AWS::IAM::ManagedPolicy
and attaching it to the role (with the Roles
property of AWS::IAM::ManagedPolicy
), rather than declaring the role as having the policy attached to it (with the Policies
property of AWS::IAM::Role
).
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago