I want to create the role (that will be assumed by another IAM role) with the following policy:
I should be able to assume the role only:
- if tag team is set to "team"
- if tag department is set to "devops"
- if user set source identity when assuming the role
I'm failing with the following error:
aws sts assume-role \
--role-arn "arn:aws:iam::1111122222333:role/team-sso-administrators-role" \
--role-session-name JimSmith \
--source-identity JimSmith \
--tags Key=team,Value=team Key=department,Value=devops
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::ANOTHERACCOUNTID:assumed-role/AWSReservedSSO_team-administrators-role_feadc200cc9855b0/JimSmith is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::1111122222333:role/team-sso-administrators-role
the statement of the policy
statement {
effect = "Allow"
actions = ["sts:AssumeRole", "sts:SetSourceIdentity", "sts:TagSession"] #
principals {
type = "AWS"
identifiers = var.trusted_role_arns
}
principals {
type = "Service"
identifiers = var.trusted_role_services
}
condition {
test = "StringEquals"
variable = "aws:RequestTag/department"
values = ["devops"]
}
condition {
test = "StringEquals"
variable = "aws:RequestTag/team"
values = ["team"]
}
condition {
test = "StringLike"
variable = "sts:SourceIdentity"
values = ["*"]
}
condition {
test = "ForAllValues:StringEquals"
variable = "aws:TagKeys"
values = ["department", "team"]
}
If I remove "sts:SetSourceIdentity" and associated condition - I can enforce tags If I remove "sts:TagSession" and associated conditions - I can enforce SourceIdentity