IAM trust policy OIDC conditional AND evaluation

[rory-loughrey-kainos]

Is your request related to a problem? Please describe.

When building a trust policy for an OIDC role, have the option of using oidc_subjects, or oidc_wildcard_subjects as part of dynamic conditions

However, in the use case of requiring both _subjects functionality for StringEquals, and _wildcard functionality of StringLike, both conditions are added to the same statement

As multi-conditions on a single statement are evaluated by AND operations rather than OR, this breaks the functionality/purpose of the policy

Describe the solution you'd like.

Edit to _wildcard config to, if _subjects config exists, generates a second, matching Effect statement in order to allow both StringLike & StringEquals Condition Keys to operate concurrently in OR eval

Describe alternatives you've considered.

Only using _wildcard, even for those we wish to match entirely, but comes with security concerns down the line/ technically not least privilege

[bryantbiggs]

this is an xy-problem statement - lets start with some reproduction or pseudo-code of what you are trying to achieve

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days