Skip to content

Instantly share code, notes, and snippets.

@mchancloud
Created April 22, 2020 14:44
Show Gist options
  • Save mchancloud/a1e89ca5ddd5b30eca43338c9b94e91a to your computer and use it in GitHub Desktop.
Save mchancloud/a1e89ca5ddd5b30eca43338c9b94e91a to your computer and use it in GitHub Desktop.
enforcing the role session name as principal tag
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleIfSessionNameEqualsAccessProjectSessionTagValue",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:RoleSessionName": "${aws:PrincipalTag/access-project}-${aws:PrincipalTag/access-team}",
"aws:RequestTag/access-project": "${aws:PrincipalTag/access-project}",
"aws:RequestTag/access-team": "${aws:PrincipalTag/access-team}"
}
}
},
{
"Sid": "AllowPassSessionTagsAndTransitive",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:TagSession",
"Condition": {
"StringLike": {
"aws:RequestTag/access-project": "*",
"aws:RequestTag/access-team": "*"
},
"ForAllValues:StringEquals": {
"sts:TransitiveTagKeys": [
"access-project",
"access-team"
]
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment