I have a cross-account VPC peering authorizer role that I use to automatically accept peering connections via CloudFormation. The problem is I want to run the VPC peering template as an assumed role. The role ARN has a session name at the end. I cannot add a principal to my authorizer role trusted entities because the role with session name only "exists at runtime". The CloudFormation fails to assume the role because arn:aws:iam::123456789:role/Admin/session-name is not a principal in my trust policy, only arn:aws:iam::123456789:role/Admin. I can't use wildcard and the Admin/session-name isn't a permanent role in the account.
Is this possible? How can I authorize an assumed role with session name in a trust policy?
Edit: Solved. My trust policy principal should be arn:aws:sts::123456788:assumed-role/Admin/session-name rather than arn:aws:iam
