I want to create a policy where the user is restricted from creating a role without my permission boundary! i tried using iam:AttachRolePolicy and Iam:putRolePermissionBoundary but not working still!
The config you are attempting would be accomplished if you granted the user the iam:CreateRole permission with a condition. For example if your permission boundary is a a policy called myPermissionBoundary then attaching the policy below would allow the user to create a role IFF the user also attached the permission boundary to that role.
{
"Sid": "CreateRoleIffPermInPlace",
"Effect": "Allow",
"Action": [
"iam:CreateRole"
],
"Resource": *,
"Condition": {
"StringLike": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/myPermissionBoundary"
}
}
}