CODEWITHSUNDEEP
amazon-iamterraform-provider-awsaws-policiesaws-roles
user2728349
user2728349

Reputation: 179

AWS trusted entity with multiple principal types and condition

I have a Terraform code that generates a trusted entity like this that is attached to a role for cross-account access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::444555666:root",
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "444-555-666-777-888"
                }
            }
        }
    ]
}

If I intend to allow the AWS account with an externalId to assume the role and I also want the AWS backup service to adopt the role, is the generated resource policy correct? I don't know if the policies engine will pick the condition and try to apply it to the account and also to the service, which is not desired.

Anybody knows if this is correct? are these kind of more complex rules documented by AWS?, I only have found info about simpler rules

I guess a way to ensure the correctness would be to separate both needs into different statements, but this is what the Terraform generates out of the provided HCL.

thanks

Upvotes: 0

Views: 3287

Answers (2)

ap7
ap7

Reputation: 11

Composite principal - Represents a principal that has multiple types of principals(AWS, Service)

A composite principal cannot have conditions.

Reference: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_iam.CompositePrincipal.html

Upvotes: 0

Bhavik Kumar
Bhavik Kumar

Reputation: 21

The statement will not be in effect until the condition is meet according to the AWS condition documentation.

You will need to have another trust statement such as the example below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "backup.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "444-555-666-777-888"
                }
            }
        }
    ]
}

Upvotes: 0

Related Questions