I have role A which has a policy that explicitly denied all actions to S3. And role B which has a policy attached to it to allow all actions to S3. I attach role A to an ec2, with that I can’t obviously access s3. but if I assume role B within ec2 I can access s3.
The problem is I want to not to able to access s3 because parent role (role A) explicitly denies it. but it seems when I assume new role (role B), it doesn’t care about policies of previous role (role A).
Is there any way I can make it work in the way I want ?
At the basis, each EC2 instance can only have one role assigned to itself, and at any given time an identity can only act under one role.
Role assumption does not actually change who the original identity is and what it can do as defined by original assigned role. When an identity successfully assumes a role, it will be given with a temporary credential to interact with AWS under role B, and it will temporarily be governed by role B during that session. When the session times out, or the temporary credential becomes invalid, then the identity can no longer act under role B. It has to assume role B again if it wants to act as role B.
If you configure role A in such a way that it allows the instance 01 to assume other roles (role B for example), then the moment that instance 01 successfully assumes role B, instance 01 will be given with temporary credential to act under role B and will be governed by role B (until the assumption of role B is revoked or until the session token times out).
Role is not parental to another one as you might have understood, each role is independent to each other. So IMO, it’s not possible to achieve what you want with current setup as you described.
You can (partially) achieve the goal, by attaching another policy document to role B that explicitly denies the access to S3 (on every identity, or on the EC2 service, or on a list of specific EC2 instances).