🚀 Enhancements
[aws-teams] Remove obsolete restriction on assuming roles in identity account
What
- [aws-teams] Remove obsolete restriction on assuming roles in the
identity
account
Why
Some time ago, there was an implied permission for any IAM role to assume any other IAM role in the same account if the
originating role had sufficient permissions to perform sts:AssumeRole
. For this reason, we had an explicit policy
against assuming roles in the identity
account.
AWS has removed that implied permission and now requires all roles to have explicit trust policies. Our current Team
structure requires Teams (e.g. spacelift
) to be able to assume roles in identity
(e.g. planner
). Therefore, the
previous restriction is both not needed and actually hinders desired operation.
🐛 Bug Fixes
[aws-teams] Remove obsolete restriction on assuming roles in identity account
What
- [aws-teams] Remove obsolete restriction on assuming roles in the
identity
account
Why
Some time ago, there was an implied permission for any IAM role to assume any other IAM role in the same account if the
originating role had sufficient permissions to perform sts:AssumeRole
. For this reason, we had an explicit policy
against assuming roles in the identity
account.
AWS has removed that implied permission and now requires all roles to have explicit trust policies. Our current Team
structure requires Teams (e.g. spacelift
) to be able to assume roles in identity
(e.g. planner
). Therefore, the
previous restriction is both not needed and actually hinders desired operation.