Restrict assumption of AWS IAM Role to a specific Group

4
votes

The gist: I have several ECR repositories in AWS account 'B' and want to restrict actions to an 'admin-users' IAM group in account 'A'. I'm creating these resources through Cloudformation.

I have a policy on the repos that restricts actions to an 'admin-role' IAM role that lives in A. I therefore want to allow only members of 'admin-users' to be able to assume that role; however groups can't be principals and there doesn't seem to be a condition to test group membership. I believe I'm able to allow admin-users to assume admin-role through an inline policy on admin-users, but AssumeRolePolicyDocument is required on the role and I can't see any way to create a no-op assume role policy.

2
amazon-web-servicesamazon-iam

2 Answers

2
votes

You are correct. Groups cannot currently be principles on assumed roles. This restriction has similar impact on other resources such as group access to S3.

The only way to achieve this is through the policy set on the group which can restrict which roles are assumed. However the role itself needs to allow root from the principle. Which leaves a big hole in your security.

Hopefully AWS will fix this one day.

0
votes

You can have 2 policies:

  • P1 in acc B which is attached to a Role in acc B and allows access to ECR repositories.
  • P2 in acc A which allows to assume the Role in acc B and is attached to a Group in acc A

Your users are added to the Group in acc A. Therefore they get permissions (P2) to assume the Role in acc B (as in Switch role) that allows them access to ECR repositories in acc B (P1)

Also here's a tutorial: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html