How to overcome “Unsupported Wildcard In Principal”

Category AWS Security
12 January 2024

If you want to create an policy that wildcards the Principal AWS element in an IAM trust policy you will get an error.

So this will not work:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCrossAccountAccess",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::214125125125:role/myspecialiamrole*"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

You can overcome this by using an additional condition, for instance this policy allows cross account access from another account, only if the user has signed into that account with SSO:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCrossAccountAccessButWithSSO",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::214125125125:root"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringLike": {
					"aws:PrincipalArn": "arn:aws:iam::214125125125:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*"
				}
			}
		}
	]
}

This means that other IAM roles and IAM users cannot access the cross account role.

Recent articles:
NEW

ES Foundation to be officially launched at SaaS Summit Benelux 2024

Read more >
NEW

Reduce AWS Fargate pull times with SOCI

Read more >

Reduce your AWS CloudFront costs by switching to Cloudflare

Read more >

Discover your freedom

Plan a free and personal demo of ES Foundation.