Skip to content

chore: Use appropriate mapping of assume_role_policy #570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

waskow-consensys
Copy link

@waskow-consensys waskow-consensys commented May 29, 2025

Description

In
https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
we need to allow the role to assume itself.
Current configuration was set to AWS: "*" with a conditional.
This is detected as a bad policy by AWS, where it flags the trust policy

Overly permissive trust policy exists in your trust relationships
Broad access: Principals that include a wildcard (*, ?) can be overly permissive.

Additionally this "Self Assume" causes IAM looping which can lead to multiple requests, increase cloudtrail audit logs, etc

Motivation and Context

This saves security teams from seeing AWS: "*" and panicking

Breaking Changes

No

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

Sorry, something went wrong.

Verified

This commit was signed with the committer’s verified signature.
@waskow-consensys waskow-consensys changed the title chore: use appropriate mapping of assume_role_policy chore: Use appropriate mapping of assume_role_policy May 29, 2025
@bryantbiggs
Copy link
Member

it is correct as written per the AWS docs, closing since this is not an appropriate change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants