Update an IAM role trust policy
📑 On this page
Part 112 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
Trust policy updates replace the existing document. Narrowing from an account principal to one user makes the assumption relationship more explicit.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
cat > narrow-trust.json <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::$ACCOUNT_ID:user/$USER_NAME"},
"Action": "sts:AssumeRole"
}]
}
EOF
aws iam update-assume-role-policy \
--role-name "$ROLE_NAME" \
--policy-document file://narrow-trust.jsonIAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam get-role \
--role-name "$ROLE_NAME" \
--query "Role.AssumeRolePolicyDocument.Statement"Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws accessanalyzer validate-policy \
--policy-type RESOURCE_POLICY \
--validate-policy-resource-type AWS::IAM::AssumeRolePolicyDocument \
--policy-document file://narrow-trust.jsonValidate trust-policy structure and review findings before replacement.
Common mistake
Preserve every required trusted principal and condition. A replacement that omits one can break production automation immediately after propagation.
Cleanup
rm narrow-trust.jsonKeep the narrowed trust for the named demo user during the next lessons.
Next, we will learn Attach a managed policy to an IAM role.