I have an role which I would like to be assumable by a user logged in via SSO. The user’s role generated by SSO in the account is suffixed with a 16 digit hex string which is (as far as I can tell) random and therefor non-determinable at the point I construct the trust policy for the assumed role.
I came up with the following as a workaround for the fact that I can’t know the precise principal ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CanBeASsumedByMyPermissionSet",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::xxxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_MyPermissionSet_*"
}
}
}
]
}
This works for me, however, I get the following warning in the IAM console for the target role:
Overly permissive trust policy exists in your trust relationships. Broad access: Principals that include a wildcard (*, ?) can be overly permissive.
It is also causing alerts in our 3rd-party monitoring.
Is there a better way that doesn't trigger this warning?