Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
956 views
in Technique[技术] by (71.8m points)

aws cdk - How to specify TrustRelationship of IAM role that will be used in many regions?

I am creating one CDK stack that will create IAM roles. It will be deployed only once since roles are global. Second stack will use this role by finding it Role.fromRoleArn(...). This role will be assumed by step functions. I have following CDK construcuct in roles stack: assumedBy: new ServicePrincipal('states.amazonaws.com'). When I look at generated role, I see following on Trust relationship tab: The identity provider(s) states.eu-north-1.amazonaws.com. There is addition of region where role stack is deployed (eu-north-1), although, I did not specify it. When I create role using IAM console there is no addition of region The identity provider(s) states.amazonaws.com.
My aim is to use single role regardles in which region second stack is deployed and States function in every region could assume that role.
Edited:
Same code adds trust relationships lambda.amazonaws.com and apigateway.amazonaws.com. For those relationships region is not added.
How to get rid of region from AWS Service when creating role?

question from:https://stackoverflow.com/questions/66046109/how-to-specify-trustrelationship-of-iam-role-that-will-be-used-in-many-regions

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Seems like not supported at the moment for sake of least privilege principle, see https://github.com/aws/aws-cdk/issues/2999. You can try to open new feature request with your use case.

However, you still can use low level Cfn classes to achieve what you want - https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.CfnRole.html#class-cfnrole-construct


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...