← All posts
2 min read

Update an IAM role trust policy

#aws#cli#iam#security#identity
📑 On this page

Part 112 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

Trust policy updates replace the existing document. Narrowing from an account principal to one user makes the assumption relationship more explicit.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

cat > narrow-trust.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::$ACCOUNT_ID:user/$USER_NAME"},
    "Action": "sts:AssumeRole"
  }]
}
EOF
 
aws iam update-assume-role-policy \
  --role-name "$ROLE_NAME" \
  --policy-document file://narrow-trust.json

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-role \
  --role-name "$ROLE_NAME" \
  --query "Role.AssumeRolePolicyDocument.Statement"

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws accessanalyzer validate-policy \
  --policy-type RESOURCE_POLICY \
  --validate-policy-resource-type AWS::IAM::AssumeRolePolicyDocument \
  --policy-document file://narrow-trust.json

Validate trust-policy structure and review findings before replacement.

Common mistake

Preserve every required trusted principal and condition. A replacement that omits one can break production automation immediately after propagation.

Cleanup

rm narrow-trust.json

Keep the narrowed trust for the named demo user during the next lessons.

Next, we will learn Attach a managed policy to an IAM role.

Official AWS CLI reference