search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
565 stars 452 forks source link

RoleConfig AssumedByConfig allow for sts:TagSession #406

Open dgregan-flutter opened 9 months ago

dgregan-flutter commented 9 months ago

Is your feature request related to a problem? Please describe. Currently I'm trying to deploy a role out via LZA to accounts within our AWS Org. This network-deploy role is to be assumed by a specific network-build role (ex. arn:aws:iam::1111111:role/network-build-role ). The Trust Relationship of this policy of this role requires sts:TagSession permissions to facilitate our network build.

However AssumedByConfig class there isn't any setting to include sts:TagSession and looks like it might only allow for 'root' 

assumedBy:
  - type: account
    principal: 'arn:aws:iam::111111111111:root'

Describe the feature you'd like Allow for more granular assumedBy configuration for Trust Relationships of LZA deployed IAM Roles so sts:TagSession can be included within trust relationship

Additional context Add any other context or screenshots about the feature request here.

dgregan-flutter commented 9 months ago

As a workaround, going to try deploying the role out via AWS CDK CfnStackSet as we'll have greater control on trust relationship for the role

richardkeit commented 9 months ago

Relates to: