You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can specify AWS accounts, IAM users, Federated SAML users, IAM roles, and specific assumed-role sessions. You cannot specify IAM groups or instance profiles as principals
Note that if I use the account Principal ARN like this it works:
...
new Role(this,'my-role',{
assumedBy: new ArnPrincipal(`arn:aws:iam::111111111111:root`)
...
But I don't want to give permission to the entire account and want to restrict to the individual role.
Current Behavior
Invalid principal in policy: "AWS":"arn:aws:iam::111111111111:role/my-lambda-execution-role" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 3ee72085-639
7-4110-808a-be9bf5b1ae73; Proxy: null)
Reproduction Steps
Deploy this stack to replicate the issue
import { Stack, StackProps } from 'aws-cdk-lib'
import { Construct } from 'constructs';
import { Role, ArnPrincipal } from 'aws-cdk-lib/aws-iam';
export class IamStack extends Stack{
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
new Role(this,'my-role',{
assumedBy: new ArnPrincipal('arn:aws:iam::111111111111:role/my-lambda-execution-role');,
}
)
}
}
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.88.0
Framework Version
No response
Node.js Version
v16.20.1
OS
Mac OS Ventura 13.4.1
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered:
Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
Describe the bug
I would like to create a trust relationship with a specific role in a different account and not use the account principal.
The final result I want is this trust relationship (as in this example)
This is what I am doing
This fails with the following error
Expected Behavior
I would expect to see the trust relationship policy with the IAM role as Principal.
This should work as the CDK docs say:
Note that if I use the account Principal ARN like this it works:
But I don't want to give permission to the entire account and want to restrict to the individual role.
Current Behavior
Reproduction Steps
Deploy this stack to replicate the issue
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.88.0
Framework Version
No response
Node.js Version
v16.20.1
OS
Mac OS Ventura 13.4.1
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: