I have created policy like below. I want to allow to CreateRole with snowflake_access policy only. Every time I'm executing the lambda code I can also attach other policies to this role. I don't know why because clearly I have denied other policies and allow only one. Can someone help me with that?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "arn:aws:iam::*:role/snowflake-role*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::7882...:policy/snowflake_access",
"arn:aws:iam::*:role/snowflake-role*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": "iam:*",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
]
}
]
}
If you look at actions defined by IAM, you will see a table that maps actions to, among other things, resource types and condition keys. For example:
| Action | Resource Type(s) | Condition Keys |
|---|---|---|
| AttachRolePolicy | role* | iam:PolicyARN iam:PermissionsBoundary |
| CreateRole | role* | iam:PermissionsBoundary aws:TageKeys aws:RequestTage/${TagKey} |
Note specifically that the AttachRolePolicy action applies to IAM roles only, not to policies. You've indicated a role ARN (snowflake-role*) and a policy ARN (snowflake_access), but only the former is legal here.
The same table entry also indicates that iam:PolicyARN is a valid condition key for the AttachRolePolicy action. So, to indicate a policy ARN, you can add a condition key of iam:PolicyARN, something like this.
{
"Sid": "sid1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
],
"Condition": {
"StringEquals": {
"iam:PolicyARN": "arn:aws:iam::7882...:policy/snowflake_access"
}
}
},
I'm not sure this resolves all of the problems you have, but I think it's one part of the problem.