Revert "Fix EN-2223 Relax IambicHubRole sts:assumerole policy statement"

This reverts commit 09fb53d.
noqdev · Jul 11, 2023 · 2492747 · 2492747
1 parent 6726ce5
commit 2492747
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 8 deletions.
diff --git a/docs/web/docs/3-reference/6-aws_hub_and_spoke_roles.mdx b/docs/web/docs/3-reference/6-aws_hub_and_spoke_roles.mdx
@@ -37,18 +37,12 @@ for more details.
         "sts:TagSession",
         "sts:SetSourceIdentity"
       ],
-      "Resource": "arn:aws:iam::*:role/*"
+      "Resource": "arn:aws:iam::*:role/IambicSpokeRole*"
     }
   ]
 }
 ```
 
-A note about why the resource value for `sts:AssumeRole` is `*`. IAMbicHubRole can be used to broker credentials. Since it does not know ahead of time what role to assume, the value is relaxed to `*`. However, this alone does not mean IAMbicHubRole can assume Role X without Role X granting it permission on RoleX's Trust Policy. Role assumption requires both subject (IambicHubRole) and object (Role X) to establish a mutual trust relationship.
-
-To learn more about credential brokering, see [AWS Docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
-
-To learn more about Trust Policy, see [AWS Docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html)
-
 ## Spoke Role Permissions
 
 Each AWS account should have an IAMbicSpokeRole.

diff --git a/iambic/plugins/v0_1_0/aws/cloud_formation/templates/IambicHubRole.yml b/iambic/plugins/v0_1_0/aws/cloud_formation/templates/IambicHubRole.yml
@@ -47,7 +47,7 @@ Resources:
                   - sts:assumerole
                   - sts:SetSourceIdentity
                 Resource:
-                  - 'arn:aws:iam::*:role/*'
+                  - !Sub 'arn:aws:iam::*:role/${SpokeRoleName}*'
         - PolicyName: list_spoke_account_info
           PolicyDocument:
             Version: '2012-10-17'