How to overcome "Unsupported Wildcard In Principal"

If you want to create an policy that wildcards the Principal AWS element in an IAM trust policy you will get an error.

So this will not work:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCrossAccountAccess",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::214125125125:role/myspecialiamrole*"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

You can overcome this by using an additional condition, for instance this policy allows cross account access from another account, only if the user has signed into that account with SSO:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCrossAccountAccessButWithSSO",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::214125125125:root"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringLike": {
					"aws:PrincipalArn": "arn:aws:iam::214125125125:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*"
				}
			}
		}
	]
}

This means that other IAM roles and IAM users cannot access the cross account role.