aws cdk - How to specify TrustRelationship of IAM role that will be used in many regions?

Question

I am creating one CDK stack that will create IAM roles. It will be deployed only once since roles are global. Second stack will use this role by finding it Role.fromRoleArn(...). This role will be assumed by step functions. I have following CDK construcuct in roles stack: assumedBy: new ServicePrincipal('states.amazonaws.com'). When I look at generated role, I see following on Trust relationship tab: The identity provider(s) states.eu-north-1.amazonaws.com. There is addition of region where role stack is deployed (eu-north-1), although, I did not specify it. When I create role using IAM console there is no addition of region The identity provider(s) states.amazonaws.com.
My aim is to use single role regardles in which region second stack is deployed and States function in every region could assume that role.
Edited:
Same code adds trust relationships lambda.amazonaws.com and apigateway.amazonaws.com. For those relationships region is not added.
How to get rid of region from AWS Service when creating role?

question from:https://stackoverflow.com/questions/66046109/how-to-specify-trustrelationship-of-iam-role-that-will-be-used-in-many-regions

Answer 1

Seems like not supported at the moment for sake of least privilege principle, see https://github.com/aws/aws-cdk/issues/2999. You can try to open new feature request with your use case.

However, you still can use low level Cfn classes to achieve what you want - https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-iam.CfnRole.html#class-cfnrole-construct