Assumable role in an AWS cloud formation

Question

Using AWS, I'm building a cloud formation stack defining the following:

1. Several resources (for the sake of simplicity, not transcribed below)
2. A Policy called MyPolicy allowing to use those resources (for the sake of simplicity, not transcribed below)
3. A Role called MyRole submitted to that policy

The stack will be created by an admin; and once created, the goal is to allow (from outside the stack) some users to assume MyRole in order to use the several resources.

My question: How should the role be defined in order be assumable by users (specific users would be allowed from outside the stack)?

In AWS help page, they give an example where "Service": [ "ec2.amazonaws.com" ] , meaning that an ec2 instance is allowed to assume that rôle... But I don't understand how it translates to users, and no example is given regarding that scenario.

Below is my stack definition using JSON format:

{
    "AWSTemplateFormatVersion" : "2010-09-09",
    "Resources" : {
        "MyRole" : {
            "Type": "AWS::IAM::Role",
            "RoleName": "MyRole",
            "AssumeRolePolicyDocument": {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": { "Service": [ "??" ] },
                        "Action": [ "sts:AssumeRole" ]
                    }
                ]
            },
            "ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ],
        }
    }
}

Answer 1

Good question! Simply use your root user ARN as the principal. This will allow you to control which user can assume the role using IAM. Here's an example (in YAML for my own sanity):

  AdministratorRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: administrator
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
          Action: sts:AssumeRole
          Condition:
            Bool:
              aws:MultiFactorAuthPresent: 'true'
      Path: "/"
      ManagedPolicyArns:
      - arn:aws:iam::aws:policy/AdministratorAccess

  AssumeAdministratorRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: "AssumeRolePolicy-Administrator"
      Description: "Assume the administrative role"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Sid: "AssumeAdministratorRolePolicy"
          Effect: "Allow"
          Action:
          - "sts:AssumeRole"
          Resource: !GetAtt AdministratorRole.Arn

  AssumeAdministratorRoleGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: "AssumeRoleGroup-Administrator"
      ManagedPolicyArns:
      - !Ref AssumeAdministratorRolePolicy

Only thing left is to add user to the AssumeRoleGroup-Administrator group.

Bonus: I've added a condition to only allow users that have logged using MFA to assume the role.

Also, just swap your ${AWS::AccountId} for another account ID you own and you can cross-account assume roles easily.

Answer 2

Let says you want Account B can assume the Role to Access Account A to have custom list S3 access and AWS managed Rout53 Full access:

Then use Account A for the CloudFormation below:

Parameters:
  AccountBId:
    Type: String

  environment:
    Type: String
    Default: development
    AllowedValues:
      - development
      - production

Resources:

# Account A:   

  ListS3Access:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
          Action:
          - "s3:ListAllMyBuckets"
          - "s3:ListBucket"
          - "s3:ListBucketVersions"
          - "s3:GetObject"
          Resource: '*'



  TestRole:
    Type: AWS::IAM::Role
    Description: Test Role
    DependsOn:
      - ListS3Access
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Effect: Allow
          Principal:
            AWS: !Sub 'arn:aws:iam::${AccountBId}:root'
          Action: sts:AssumeRole
      ManagedPolicyArns:
      - !Ref ListS3Access
      - arn:aws:iam::aws:policy/AmazonRoute53FullAccess
      Tags:
        - Key: environment
          Value: !Ref environment

After you run the Account A cloudformation, you should get the TestRole arn, save it for Account B later usage

On the Account B for the CloudFormation Below:

Parameters:
  AccountAId:
    Type: String

  roleName:
    Type: String
    Default: xxxxxxxxx 
Resources:
  AssumeTestRolePolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      Description: "Assume My Test role"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
        - Sid: "AssumeTestRolePolicy"
          Effect: "Allow"
          Action:
          - "sts:AssumeRole"
          Resource: !Sub 'arn:aws:iam::${AccountAId}:role/${roleName}'

  AssumeTestRoleGroup:
    Type: AWS::IAM::Group
    DependsOn:
      - AssumeTestRolePolicy
    Properties:
      GroupName: "AssumeRoleGroup"
      ManagedPolicyArns:
      - !Ref AssumeTestRolePolicy

when you run the Account B cloudFormation, give the TestRole Arn you got from Account A , and provide it to roleName

After both cloudFormation has been deploy, login to Account B , assign the user to the group, and you should be able use the user to switch the Role.