How to assume AWS role from the same AWS role in CloudFormation template?

Question

I'm using an IAM role for a glue job that makes some data processing, to accomplish this task I need to assume the role that executes the glue role.

As example, in the following cloudformation template the IAM::Policy has permission to query from a Dynamo DB table and to get Objects from an s3 bucket.

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'

Resources: 

  GlueAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Roles:
        - !Ref GlueRole
      PolicyName: glue_access_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 's3:getObject'
            Resource:
              - 's3_bucket_arn'
          - Effect: Allow 
            Action: 
              - 'dynamodb:DescribeTable'
              - 'dynamodb:Query'
            Resource:
              - 'dynamo_table_arn'

  GlueRole: 
    Type: 'AWS::IAM::Role'
    Properties: 
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
      AssumeRolePolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: 'Allow'
            Principal: 
              Service:
                - 'glue.amazonaws.com'
            Action:
              - 'sts:AssumeRole'

Now, this question illustrates an example to assume role B from role A, switching roles.

So, I have the question if is it possible or valid for GlueRole to assume GlueRole ?

score 0 · Answer 1 · answered Oct 17 '20 at 01:32

As there is no limitation for the role to assume itself, and the docs state the following

A policy that grants a user permission to assume a role must include a statement with the Allow effect on the following:

The sts:AssumeRole action

The Amazon Resource Name (ARN) of the role in a Resource element

it is straightforward to add this policy to the AWS::IAM::Policy resource on the CloudFormation template.

AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'

Resources: 

  GlueAccessPolicy:
    Type: AWS::IAM::Policy
    Properties:
      Roles:
        - !Ref GlueRole
      PolicyName: glue_access_policy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: 'sts:AssumeRole'
            Resource: !GetAtt GlueRole.Arn

  GlueRole: 
    Type: 'AWS::IAM::Role'
    Properties: 
      ManagedPolicyArns: 
        - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
      AssumeRolePolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: 'Allow'
            Principal: 
              Service:
                - 'glue.amazonaws.com'
            Action:
              - 'sts:AssumeRole'

How to assume AWS role from the same AWS role in CloudFormation template?

1 Answers1