How to overcome “Unsupported Wildcard In Principal”

Category AWS Security
12 January 2024

If you want to create an policy that wildcards the Principal AWS element in an IAM trust policy you will get an error.

So this will not work:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCrossAccountAccess",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::214125125125:role/myspecialiamrole*"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

You can overcome this by using an additional condition, for instance this policy allows cross account access from another account, only if the user has signed into that account with SSO:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowCrossAccountAccessButWithSSO",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::214125125125:root"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringLike": {
					"aws:PrincipalArn": "arn:aws:iam::214125125125:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_*"
				}
			}
		}
	]
}

This means that other IAM roles and IAM users cannot access the cross account role.

Recent articles:
NEW

How to get free AWS credits for your startup or scale-up

Read more >
NEW

IAM policy pitfalls

Read more >

How to overcome "Unsupported Wildcard In Principal"

Read more >

Need an AWS Expert?

Plan a free meeting now, no strings attached.