dry-journalist-60579
02/15/2023, 7:22 PMAWSControlTowerAdmin
with the following `Trusted entities`:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "<http://controltower.amazonaws.com|controltower.amazonaws.com>"
},
"Action": "sts:AssumeRole"
}
]
}
but I want to use pulumi to make it so that another role can assume this role… what approach would I want to take? I though to create an aws.iam.Policy
as so:
existing_role = aws.iam.get_role(name="AWSControlTowerAdmin")
policy = aws.iam.Policy(
"AllowSSOAdminsToAssumeAWSControlTowerAdmin",
policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {"AWS": SSO_ROLE_ARN},
}
],
}
),
)
attachment = aws.iam.RolePolicyAttachment(
"AllowSSOAdminsToAssumeAWSControlTowerAdminAttachment",
role=existing_role.name,
policy_arn=policy.arn,
)
but I get MalformedPolicyDocument: Policy document should not specify a principal.
existing_role
itself rather than attaching a policy?SSO_ROLE_ARN
that allows it to assume the existing_role
?steep-toddler-94095
02/15/2023, 7:31 PMWould I just want to edit theitself rather than attaching a policy?existing_role
dry-journalist-60579
02/15/2023, 7:32 PMexisting_role = aws.iam.get_role(name="AWSControlTowerAdmin")
=> finds the existing role… But I can’t mutate it that way, right?steep-toddler-94095
02/15/2023, 7:35 PMdry-journalist-60579
02/15/2023, 7:36 PMsteep-toddler-94095
02/15/2023, 7:40 PMdry-journalist-60579
02/15/2023, 7:42 PMOptional conditions for your role trust relationships
section)steep-toddler-94095
02/15/2023, 7:43 PMdry-journalist-60579
02/15/2023, 7:44 PMpulumi import aws:iam/role:Role AWSControlTowerAdmin AWSControlTowerAdmin
steep-toddler-94095
02/15/2023, 7:46 PMdry-journalist-60579
02/15/2023, 7:49 PMsteep-toddler-94095
02/15/2023, 7:50 PMdry-journalist-60579
02/15/2023, 7:50 PM