Background
As a company scales out the number of AWS accounts used for different workloads, they may require IAM roles which are able to be assumed by any other account within the organization to perform some action, if you are trusting accounts by adding each account principal to the trust policy you may soon find your self hitting the 2048 character limit.
Solution
Use conditions
When making use of conditional filters and the inherent trust that comes from being within an organization, you can dramatically reduce the size and complexity of policies.
From listing all explicit account IDs
OrgWideRole:
Type: AWS::IAM::Role
Properties:
RoleName: OrgWideRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
- '012345678901'
- '123456789012'
- '234567890123'
- '345678901234'
- '456789012345'
- '567890123456'
- '*150 or so more account IDs*'
Action: sts:AssumeRole
To trusting the organization ID
OrgWideRole:
Type: AWS::IAM::Role
Properties:
RoleName: OrgWideRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
- '*'
Action: sts:AssumeRole
Condition:
StringEquals:
aws:PrincipalOrgID : o-12345abcd
You can change the behavior to limit to accounts associated with a specific OU by using conditional key aws:PrincipalOrgPaths
e.g.
Condition:
ForAnyValue:StringEquals:
aws:PrincipalOrgPaths:
- o-12345abcd/r-eg123/ou-example123/
Further extension of this is possible by using StringLike operator to trust all children of the OU
e.g.
Condition:
ForAnyValue:StringLike:
aws:PrincipalOrgPaths:
- o-12345abcd/r-eg123/ou-example123*
There are more permutations of this possible to fit your needs, though implementing trust via organization membership or OU membership has significantly reduced our trust policy sizes while increasing scalability of the platform.
Top comments (0)