'IAM PassRole restrictions

I need the permissions to pass an execution role to a Lambda when I create a CF. So I have given the role used for creating the CF this:

Effect: Allow
Action:
  - iam:PassRole
Resource:
  - "myexecutionrole"

So now my CF role can pass the execution role to any resource. I want to restrict this. I want it only to be able to pass the role to the Lambda function it is for. So I have been looking into policy conditions, put here I only find solution for restricting the source of the call not the target. Is that I want possible and how?

amazon-iam


Solution 1:[1]

You could use iam:AssociatedResourceArn. From docs:

Specifies the ARN of the resource to which this role will be associated at the destination service.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Marcin

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function