How to restrict AWS role to specific Spacelift stack

Last updated: December 19, 2025

When setting up AWS integration with Spacelift, you may want to restrict the IAM role to be assumable only by a specific stack. However, AWS has strict requirements for wildcard usage in IAM policies that can cause issues with the standard approach.

The Issue with Wildcards

AWS requires that wildcards in IAM condition keys be preceded by at least 6 consecutive characters. Using a wildcard at the beginning of the condition value will result in an error:

Wildcard Usage Too Permissive: Overly permissive use of wildcard for the [domain].app.spacelift.io:sub condition key. Use the wildcard preceded by 6 consecutive characters.

Correct Configuration

To properly restrict the role to a specific stack, use the following format in your IAM trust policy:

"StringLike": {
  "yourdomain.app.spacelift.io:sub": "space:SPACE-ID:stack:STACK-ID*"
}

Replace the following values:

yourdomain - Your Spacelift account domain
SPACE-ID - Your specific space ID
STACK-ID - Your specific stack ID

The key points of this configuration:

The subject string always starts with your Spacelift account domain as a constant prefix
The format follows the pattern: space:SPACE-ID:stack:STACK-ID
The wildcard (*) is placed at the end, after sufficient characters to satisfy AWS requirements

Example

For a company with domain "mycompany" wanting to restrict access to stack "production-app" in space "prod-space", the configuration would be:

"StringLike": {
  "mycompany.app.spacelift.io:sub": "space:prod-space:stack:production-app*"
}

This approach ensures your IAM policy is valid while maintaining the security restriction to your specific Spacelift stack.