I have multiple IAM role (up to 100) required to use this KMS key. Instead of listing all the IAM role in the KMS key policy. Is there any way I can wildcard or condition it?
{
"Sid": "Enable IAM Role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a1",
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a2",
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a3"
............
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a100"
},
"Action": "kms:*",
"Resource": "*"
}
I tried using arn:aws:iam::xxxxxxxxxx:root or using condition with stringLike, sourceArn,"arn:aws:iam::xxxxxxxxxx:role/a*"
but none of them work.
Would like to ask around if there is any alternative instead of listing all the iam role down?
This will help you
{
"Sid": "Enable IAM Role",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::xxxxxxxxxx:role/a1*"
}
}
}