I need the permissions to pass an execution role to a Lambda when I create a CF. So I have given the role used for creating the CF this:
Effect: Allow
Action:
- iam:PassRole
Resource:
- "myexecutionrole"
So now my CF role can pass the execution role to any resource. I want to restrict this. I want it only to be able to pass the role to the Lambda function it is for. So I have been looking into policy conditions, put here I only find solution for restricting the source of the call not the target. Is that I want possible and how?
CodePudding user response:
You could use iam:AssociatedResourceArn
. From docs:
Specifies the ARN of the resource to which this role will be associated at the destination service.