I am trying to allow role A to assume role B. For testing purposes, both roles have AWS Administrator Access out of the box, with the ability to allow access to every resource with all permissions.
For role A to assume role B, role B must contain role A in the trust policy, like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
#Role A
"AWS": "arn:aws:sts::1234567890:assumed-role/ubuntu/botocore-session-xxx"
},
"Action": "sts:AssumeRole"
}
]
}
For my particular case, the assumed role contains a nomenclature of botocore-session-xxx appended at the end, where "xxx" will always be a random set of numbers.
My issue is, because these sessions are dynamic and the xxx is randomly generated, I cannot manually input the corresponding digits of the actual botocore-session that is being used in the trust policy, it would not be feasible for myself.
Instead, I tried going for a wildcard approach like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
#Role A
"AWS": "arn:aws:sts::1234567890:assumed-role/ubuntu/botocore-session-*"
},
"Action": "sts:AssumeRole"
}
]
}
But the above is an invalid policy and does not work in AWS. Did I screw myself over with this approach? How can Role B contain an "open" trust policy to allow for Role A: assumed-role/test-ubuntu/botocore-session-xxx , considering that "xxx" will always be a set of random generated numbers?
Appreciate some guidance on this one.