I am creating a role using the CDK and I need to add sts:SetSourceIdentity to the AssumeRolePolicyDocument.
My code looks like this currently:
new Role(this, 'MyRole', {
assumedBy: new AccountPrincipal(Stack.of(this).account),
...
});
This results in an AssumeRolePolicyDocument that looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
I need it to look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::0123456789012:root"
},
"Action": ["sts:AssumeRole", "sts:SetSourceIdentity"]
}
]
}
The generate CloudFormation from the CDK code above ends up like this:
"MyRoleCF2E104D": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::0123456789012:root"
]
]
}
}
}
],
"Version": "2012-10-17"
},
...
},
I can't figure out how to get the sts:SetSourceIdentity added to the Action in the CloudFormation. Any ideas? Do I need to eject to the L1 construct?
CodePudding user response:
addStatements adds new actions to the role's assume role policy document:
role.assumeRolePolicy?.addStatements(
new iam.PolicyStatement({
actions: ['sts:SetSourceIdentity'],
principals: [new iam.AccountPrincipal(this.account)],
})
);