IT-4497 Allow Developer role to assume Bedrock role in dedicated Bedrock AWS account (#1432)

brucehoff · web-flow · commit c728b3f0236c · 2025-07-07T12:13:20.000-07:00
IT-4497 Allow Developer role to assume Bedrock role in dedicated Bedrock AWS account
diff --git a/org-formation/700-aws-sso/_tasks.yaml b/org-formation/700-aws-sso/_tasks.yaml
@@ -442,7 +442,14 @@ SsoDeveloper:
               {
                   "Effect": "Deny",
                   "Action": "sts:AssumeRole",
-                  "Resource": "*"
+                  "Resource": "*",
+                  "Condition": {
+                    "StringNotEquals": {
+                        "aws:PrincipalArn": {
+                            "Fn::ImportValue": "us-east-1-synapsellmprod-bedrock-full-access-ServiceRoleArn"
+                        }
+                    }
+                  }
               }
           ]
       }

Original file line number	Diff line number	Diff line change
`@@ -442,7 +442,14 @@ SsoDeveloper:`
`442`	`442`	`{`
`443`	`443`	`"Effect": "Deny",`
`444`	`444`	`"Action": "sts:AssumeRole",`
`445`		`- "Resource": "*"`
	`445`	`+ "Resource": "*",`
	`446`	`+ "Condition": {`
	`447`	`+ "StringNotEquals": {`
	`448`	`+ "aws:PrincipalArn": {`
	`449`	`+ "Fn::ImportValue": "us-east-1-synapsellmprod-bedrock-full-access-ServiceRoleArn"`
	`450`	`+ }`
	`451`	`+ }`
	`452`	`+ }`
`446`	`453`	`}`
`447`	`454`	`]`
`448`	`455`	`}`