Please reach out to me on Twitter @MatthewTyler13 if you have any questions!
Introduction
At some point in your career using AWS, you...
For further actions, you may consider blocking this person and/or reporting abuse
Thanks for the clear article. The point about needing to fully delegate trust to another account was the bit that caught me out for days last year. I tried for ages to explicitly state the source role that could assume the target role but it never worked.
It is possible to restrict to a single role - but it requires adding a condition statement to the principal that restricts the roles that can be used to a specific AWS principal ID. You can find the principal ID by calling describe role using the CLI - I donβt think it is exposed in the console.
The downside of this is that the principal ID changes if you recreate a role. So if you delete a role and create it again, the trust policy will no longer work.
Another way to restrict access to a specific role is using sts:externalID, which is like giving a password that needs to be passed in when assuming a role.
Thanks π, super tips!