kevinhakanson.com

AWS sts:AssumeRole and Condition Keys

April 19, 2017 #aws #iam

In wondering how to restrict roles to only allowed to be assumed from specific EC2 instances, I found Actions and Condition Context Keys for AWS Security Token Service - AWS Identity and Access Management, which lists the Action key that is used to assume role:

Here is an example of a trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

It doesn’t look like any Condition keys can be applied here based on:

Condition context keys for AWS Security Token Service

AWS Security Token Service has no service-specific context keys that can be used in an IAM policy. For the list of the global condition context keys that are available to all services, see Available Global Condition Keys in the IAM Policy Elements Reference.

Maybe some of these Global Condition Keys could be used?

  • aws:SourceArn
  • aws:userid