Home > Net >  AWS IAM role chaining doesn't grant the policy from the child role
AWS IAM role chaining doesn't grant the policy from the child role

Time:07-21

I have a policy called FooPol that attached to the user as the policy shown below,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::000000000000:role/fooRole",
            "Effect": "Allow"
        }
    ]
}

The fooRole attached to a policy called BarPol as the policy shown below,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::000000000000:role/barRole",
            "Effect": "Allow"
        }
    ]
}

the barRole itself can perform cloudformation:DescribeStacks. Somehow the access to perform cloudformation:DescribeStacks is denied for role fooRole, but it does authorized when I attach the BarPol directly to the user. why is that?

CodePudding user response:

This is expected. When a user assumes a role, the user loses all of its permissions and inherits only the permissions that the assumed role has.

Page link:https//www.codepudding.com/net/483641.html

Prev:Create python lambda layer using CDK
Next:I can't build a docker image error with typescript
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding