Creating a role for IAM Roles anywhere requires a trust policy with sts:SetSourceIdentity #21186

royby-cyberark · 2022-07-17T09:25:23Z

royby-cyberark
Jul 17, 2022

Hi,
i'm attempting to create a role for "iam role anywhere", and it requires the following trust policy:
I can add sts:TagSession with "aws_cdk.iam.ServicePrincipal.withSessionTags", but I see no way to add the SetSourceIdentity.
I was thinking that you simply provide a list of actions, but seeing "withSessionTags", I understand this isn't so.
what are my options, until something is implemented, maybe going with CfnRole?

///
"Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession",
                "sts:SetSourceIdentity"
            ]
}
...

Thank you for your help.
Roy.

Answered by royby-cyberark

Aug 4, 2022

So I guess this is missing from CDK,
until its added, I wrote this blog on IAM Roles anywhere, which also includes a fully working CDK example:

https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be

Hope this helps someone

View full answer

royby-cyberark · 2022-08-04T16:11:06Z

royby-cyberark
Aug 4, 2022
Author

So I guess this is missing from CDK,
until its added, I wrote this blog on IAM Roles anywhere, which also includes a fully working CDK example:

https://medium.com/cyberark-engineering/calling-aws-services-from-your-on-premises-servers-using-iam-roles-anywhere-3e335ed648be

Hope this helps someone

0 replies

2023-12-02T00:54:09Z

github-actions[bot]
bot Dec 2, 2023

Hello! Reopening this discussion to make it searchable.

0 replies

mohamed-jawad-etg · 2024-02-12T21:36:38Z

mohamed-jawad-etg
Feb 12, 2024

I was stuck on this trying to create a role with trusted relationship for EKS Pod Identities and got that resolved by

const podsEksPrinciple=new cdk.aws_iam.ServicePrincipal('pods.eks.amazonaws.com')
const sessionTagsPrincipal = new cdk.aws_iam.SessionTagsPrincipal(podsEksPrinciple);
// IAM Role
const eksAuthRole = new cdk.aws_iam.Role(cluster, 'EksAuthRole', 
{
    assumedBy: sessionTagsPrincipal,
});

0 replies

nemec · 2024-12-07T07:00:10Z

nemec
Dec 7, 2024

You can also update the role policy after creating the CDK Role object

const role = new Role(this, "MyRole", {
  assumedBy: new ServicePrincipal("rolesanywhere.amazonaws.com"),
  inlinePolicies: policies,
});
role.assumeRolePolicy?.addStatements(
  new PolicyStatement({
    effect: Effect.ALLOW,
    principals: [new ServicePrincipal("rolesanywhere.amazonaws.com")],
    actions: [
      "sts:AssumeRole",  // this is probably unnecessary since the CDK role creation also adds a policy for AssumeRole
      "sts:TagSession",
      "sts:SetSourceIdentity"
    ],
    conditions: {
      ...
    },
  }),
);

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Creating a role for IAM Roles anywhere requires a trust policy with sts:SetSourceIdentity #21186

{{title}}

Replies: 4 comments

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Creating a role for IAM Roles anywhere requires a trust policy with sts:SetSourceIdentity #21186

royby-cyberark Jul 17, 2022

Replies: 4 comments

royby-cyberark Aug 4, 2022 Author

github-actions[bot] bot Dec 2, 2023

mohamed-jawad-etg Feb 12, 2024

nemec Dec 7, 2024

royby-cyberark
Jul 17, 2022

royby-cyberark
Aug 4, 2022
Author

github-actions[bot]
bot Dec 2, 2023

mohamed-jawad-etg
Feb 12, 2024

nemec
Dec 7, 2024