The gist: I have several ECR repositories in AWS account 'B' and want to restrict actions to an 'admin-users' IAM group in account 'A'. I'm creating these resources through Cloudformation.
I have a policy on the repos that restricts actions to an 'admin-role' IAM role that lives in A. I therefore want to allow only members of 'admin-users' to be able to assume that role; however groups can't be principals and there doesn't seem to be a condition to test group membership. I believe I'm able to allow admin-users to assume admin-role through an inline policy on admin-users, but AssumeRolePolicyDocument is required on the role and I can't see any way to create a no-op assume role policy.