Defining two statements for the action on an IAM role

0
votes

Is it possible, to have two statements for the same action in an IAM role? For different actions, it works fine, but when creating a new statement for the same actions it's not working.

Example:

  IamDeploymentRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "iam-deployment"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${ManagementAccountID}:root"
            Action:
              - "sts:AssumeRole"
            Condition:
              IpAddress:
                X
          - Effect: "Allow"
            Principal:
              Service:
                - "some service"
            Action:
              - "sts:AssumeRole"

I'm trying to do it, but it's like the second item on the statement is being ignored. I don't know how exactly this filter works. For instance, when a statement matches the action but not the condition, does it moves on? or in the first know no it stops?

I tried a lot of documentation, but couldn't find an answer.

Condition: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html

Condition Operator: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

Condition Key: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awscloudformation.html#awscloudformation-aws_ResourceTag___TagKey_

Global condition key: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalarn

Polices and Permissions: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

2
amazon-web-servicesamazon-iam

2 Answers

2
votes

It appears that you are defining AssumeRolePolicyDocument, which is the Trust Policy for an IAM Role.

I tested this by creating an IAM Role with a Trust Policy that trusted both Amazon EC2 and AWS Lambda:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I then assigned Amazon S3 permissions to the role.

Testing:

  • EC2: I attempted to launch an Amazon EC2 instance with this role, but the role did not appear in the drop-down list.
  • Lambda: I was able to successfully attach the role to an AWS Lambda function and access Amazon S3.

I then swapped the order of the trust relationships:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This had no impact — Lambda worked fine, but EC2 would not recognize the role.

I then removed Lambda from the Trust Relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This caused the role to disappear from the Lambda console and, strangely, it also did not appear for use in the EC2 console.

I then created an identical role (with just EC2 as the trusted entity) and it worked fine.

Bottom line: The services do seem to get confused when there are multiple services in the Trust Policy. It is almost as if it "remembers" the first service and ignores the others, even when the trust policy is modified. Therefore, it seems that you can only specify one service in a Trust Policy.

0
votes

It looks like you have an indentation issue. The second item in the array needs to be indented.