- Le plus récent
- Le plus de votes
- La plupart des commentaires
Hi. You will be able to achieve your goal by using Condition element . BucketPolicy will like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UserID",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {
"StringLike": {
"aws:userId": "AROAEXAMPLEID:SSOUserName"
}
}
}
]
}
You can find out what aws:userid variable is from here.
Each IAM entity (user or role) has a defined aws:userid variable. You will need this variable for use within the bucket policy to specify the role or user as an exception in a conditional element. An assumed-role’s aws:userId value is defined as UNIQUE-ROLE-ID:ROLE-SESSION-NAME (for example, AROAEXAMPLEID:userdefinedsessionname)
Hi, you can use federated users as IAM Principals in policies: see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#sts-session-principals
This page provides an example:
"Principal": { "AWS": "arn:aws:sts::AWS-account-ID:federated-user/user-name" }
You can sophisticate this by using implicit variable ${AWS:UserId} and check other conditions on this Userid if needed (matches some pattern, etc.)
Thanks for your response Didier. I tried to add Principle and It gives me error “Invalid principle in policy”.
I am using user@domainname.onmicrosoft.com in place of user-name as this is Azure AD user.
Contenus pertinents
- demandé il y a 6 mois
- demandé il y a 7 mois
- demandé il y a un an
- demandé il y a 2 mois
- AWS OFFICIELA mis à jour il y a 9 mois
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
Thanks for your response. It seems that in this way I need to use Role name. However In my case Azure AD user may be part of multiple roles / Permission sets. Would like to define policy based on AD users UserPrincipleName which will be unique.
I found similiar post.
https://repost.aws/questions/QUpS_5uoExQqujbTTe02zGSA
I think that you need to use UNIQUE-ROLE-ID (can be identified from Role name) with ROLE-SESSION-NAME (the user name used to sign into AWS Identity Center) to grant access anyway. So, if are using multiple roles, adding multiple statements in bucket policy will work.