Option 2: Applications can assume only the role that the trust policy allows

In this scenario, two certificates have been provisioned in AWS Certificate Manager (ACM) from AWS Private Certificate Authority and shared with the applications that require access to AWS resources. Application 1 can assume only Role 1, and Application 2 can assume only Role 2. In the role trust policy, you configure certificate subject fields as conditions. These conditions allow the application to assume only a specific role. Because of the role permissions, only Application 1 can access Bucket 1, and only Application 2 can access Bucket 2. The following image shows the access that each application has.

Applications that use different certificates and can assume only specific roles.

In this option, you configure the trust policies to allow AssumeRole only when specific certificate attributes are met. The sample role trust policy demonstrates how to configure the Condition section to require a specific certificate common name (CN), which is different for Role 1 and Role 2. Each application can assume a specific role because IAM Roles Anywhere has a trust anchor relationship with AWS Private CA. This approach helps prevent unauthorized access to roles and data because the application cannot assume any role that is linked to the target profile. For example, you can segregate business data into different buckets, configure roles to allow access to only one of those buckets, and then use certificate-based access controls in the trust policy to define which role the application can assume.

The following sample trust policy for Role 1 has a condition that allows role assumption only if the certificate name is application-1.com and if the trust anchor Amazon Resource Name (ARN) matches:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "rolesanywhere.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:SetSourceIdentity",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/x509Subject/CN": "application-1.com"
        },
        "ArnEquals": {
          "aws:SourceArn": [
            "arn:aws:rolesanywhere:<region>:<account-ID>:trust-anchor/<TA_ID>"
          ]
        }
      }
    }
  ]
}

The following sample trust policy for Role 2 has a condition that allows role assumption only if the certificate name is application-2.com and if the trust anchor ARN matches:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetSourceIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/x509Subject/CN": "application-2.com"
                },
                "ArnEquals": {
                    "aws:SourceArn": [
                        "arn:aws:rolesanywhere:<region>:<account-ID>:trust-anchor/<TA_ID>"
                    ]
                }
            }
        }
    ]
}

For more information about role trust policies and how you can modify these samples, see Trust policy in the IAM Roles Anywhere documentation.

Sample role and profile policies for Application 1 and Application 2 are included in the Appendix: Sample profile and role policies section of this guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Option 1: Assume any role

FAQ