Home > Net >  how to allow IAM role to assume another IAM role, via cloudformation?
how to allow IAM role to assume another IAM role, via cloudformation?

Time:01-07

adding an IAM role via cloudformation , where I want to add a trust policy such that , another IAM role (arn:aws:iam::123456789:role/otherrole) from another aws account can assume my role. but I get an error "Has prohibited field resource ( service: AmazonIdentityManagement; status Code: 400 .....

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  SomeRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Resource: arn:aws:iam::123456789:role/otherrole
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
      ...

CodePudding user response:

AssumeRolePolicyDocument do not have Resource. It should be Principal:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  SomeRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal: 
              AWS: arn:aws:iam::123456789:role/otherrole
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
      ...

Page link:https//www.codepudding.com/net/254247.html

Prev:How to read JSON file containing multiple dictionaries with boto3
Next:How to set TLS to a service in EKS with PCA on AWS?
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding