Home > Net >  IAM PassRole restrictions
IAM PassRole restrictions

Time:04-06

I need the permissions to pass an execution role to a Lambda when I create a CF. So I have given the role used for creating the CF this:

Effect: Allow
Action:
  - iam:PassRole
Resource:
  - "myexecutionrole"

So now my CF role can pass the execution role to any resource. I want to restrict this. I want it only to be able to pass the role to the Lambda function it is for. So I have been looking into policy conditions, put here I only find solution for restricting the source of the call not the target. Is that I want possible and how?

CodePudding user response:

You could use iam:AssociatedResourceArn. From docs:

Specifies the ARN of the resource to which this role will be associated at the destination service.

  • Related