Varid Vaya
Reputation: 394
AWS IAM role chaining doesn't grant the policy from the child role
I have a policy called FooPol that attached to the user as the policy shown below,
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::000000000000:role/fooRole",
"Effect": "Allow"
}
]
}
The fooRole attached to a policy called BarPol as the policy shown below,
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::000000000000:role/barRole",
"Effect": "Allow"
}
]
}
the barRole itself can perform cloudformation:DescribeStacks. Somehow the access to perform cloudformation:DescribeStacks is denied for role fooRole, but it does authorized when I attach the BarPol directly to the user. why is that?
Upvotes: 2
Views: 446
Answers (1)
Paolo
Reputation: 26084
This is expected. When a user assumes a role, the user loses all of its permissions and inherits only the permissions that the assumed role has.
Upvotes: 1
Related Questions
- aws cdk IAM Account trust role gives 'Condition must be prefaced by a vendor" error
- Creating a custom trust policy when creating a new IAM role using AWS-CDK
- How to prevent generating default policies during IAM role creation in AWS CDK
- AWS - IAM User Role Permissions are not Propagating to User
- Add policy to the auto created IAM role
- Cannot assume role by code pipeline on code pipeline action AWS CDK
- Strange behavior with IAM Roles
- Creating a cross account IAM Lambda role using CDK
- AWS CDK is keeping ask me to update the IAM role even if I have already setup the permissions
- AWS CDK IAM Federated and User IamRoleAccess?