CloudFormation IAM Role -- AssumeRolePolicyDocument

amazon-web-services amazon-cloudformation amazon-iam amazon-policy
Sam S. picture Sam S. · Jan 31, 2017 · Viewed 9.9k times · Source

So I'm constructing a cf stack for a role in AWS and I don't know how to go about the AssumeRolePolicyDocument field when designing a role that is not resource-based.

All the examples I've tried to look up each have a specific AWS resource designated under the "Principal" field (e.g. "Service": "ec2.amazonaws.com").

What's the correct way to go about the AssumeRolePolicyDocument field for roles that are designed for users, not resources?

Answer

wjordan picture wjordan · Jan 31, 2017

You can specify an AWS IAM user using the AWS key instead of Service as the Principal for a role policy document, including an AssumeRolePolicyDocument:

"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" }

Refer to the Specifying a Principal section of the IAM Policy Elements Reference for full details.

Related questions

User is not authorized to perform: cloudformation:CreateStack

I'm trying out Serverless to create AWS Lambdas and while creating a project using the command serverless project create I'm getting the following error. AccessDenied: User: arn:aws:iam::XXXXXXXXX:user/XXXXXXXXX is not authorized to perform: cloudformation:CreateStack on …

Read More
AWS CodePipeline error: Cross-account pass role is not allowed

I am trying to create an AWS CodePipeline that deploys the production code to a separate account. The code consists of a lambda function which is setup using a sam template and cloudformation. I have it currently deploying to the …

Read More
Message "Did not have IAM permissions to process tags on AWS::KMS::Key resource" When Creating KMS Key Using Cloudformation

While creating a new KMS key using Cloudformation I see this message in the "Status Reason" column: Did not have IAM permissions to process tags on AWS::KMS::Key resource The cloudformation stack seems to be created correctly, but I …

Read More