Correct way to write multiple Principal AWS in AWS IAM Role TrustEntity Relation

Question

I am new to AWS IAM Roles.

Here scenario is, I have an IAM Role (DDBReadRole) for DynamoDB read access (in Account P lets say). And we have 2 lambda execution roles L1,L2 in Account B, Account C respectively. Now these 2 lambda executions roles need to be added to DDBReadRole access Trust Entities relation

For this I am writing {

"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": ["arn:aws:iam::<AccountBId>:role/<AccountBRole>",  "arn:aws:iam:: 
                   <AccountCId>:role/<AccountCRole>"]

        },
        "Action": "sts:AssumeRole"
    }
]

}

I got an other option

{

"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<AccountBId>:role/<AccountBRole>

        },
        "Action": "sts:AssumeRole"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS":  "arn:aws:iam::<AccountCId>:role/<AccountCRole>"

        },
        "Action": "sts:AssumeRole"
    }
]

}

Can some one please help me which is the correct way to add 2 AWS Principals in trust entities!!

You usually only use two statements if they have different configurations, most importantly e.g. different conditions. — luk2302, Oct 06 '22 at 08:36

score 5 · Accepted Answer · answered Oct 06 '22 at 08:34

5

Both are correct, and you can use any of them. But the first form is usually used, because its shorter.

answered Oct 06 '22 at 08:34

Marcin

215,873
14
235
294

Correct way to write multiple Principal AWS in AWS IAM Role TrustEntity Relation

1 Answers1