16

So I'm constructing a cf stack for a role in AWS and I don't know how to go about the AssumeRolePolicyDocument field when designing a role that is not resource-based.

All the examples I've tried to look up each have a specific AWS resource designated under the "Principal" field (e.g. "Service": "ec2.amazonaws.com").

What's the correct way to go about the AssumeRolePolicyDocument field for roles that are designed for users, not resources?

wjordan
  • 19,770
  • 3
  • 85
  • 98
Sam S.
  • 348
  • 1
  • 3
  • 15
  • Could you provide more context on the problem you're trying to solve, for example, what sort of use-case are you designing the role for? – wjordan Jan 31 '17 at 16:15
  • This is just for a dev role for a specific engineering division. You answered the question perfectly below! Thanks. – Sam S. Jan 31 '17 at 16:37

1 Answers1

11

You can specify an AWS IAM user using the AWS key instead of Service as the Principal for a role policy document, including an AssumeRolePolicyDocument:

"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" }

Refer to the Specifying a Principal section of the IAM Policy Elements Reference for full details.

wjordan
  • 19,770
  • 3
  • 85
  • 98