How to allow both account and all Lambdas to assume a role?

Question

I have a role which I would want to allow both my root account and all my Lambdas to be able to assume it.

In the trust relationship, I have the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXX:root",
        "Service": "lambda.amazonaws.com"

      },
      "Action": "sts:AssumeRole"
    }
  ]
}

However, this doesn't seem to work. When I attempt to assume the role in my code in Lambda, I get an access denied error.

If I were to remove "Service": "lambda.amazonaws.com" and add the Lambda's specific role to Principal.AWS, this will work. But I have so many Lambdas and I don't want to add every single Lambda roles to the Principal list.

How can I set the trust relationship so that the root account and all Lambdas are able to assume this role?

Answer 1

Specifying "Service": "lambda.amazonaws.com" means that the Lambda service can start a Lambda with that role. It doesn't mean that the Lambda can assume that role once it's running.

I think that the simplest solution is two-part: you specify the principal in the assumable role as your AWS account, then you grant the ability to assume that role in the Lambda's execution role, using a statement like this:

{
    "Version": "2012-10-17",
    "Statement": {
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": [
            "arn:aws:iam::123456789012:role/AssumableRole"
        ],
        "Effect": "Allow"
    }
}

You would attach the same statement to the group containing the users who are allowed to assume the role.