Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

How to assign role for a group of users

0

Hello,

I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need.

Any suggestions? is it even possible?

Argomenti
Sicurezza, identità e conformitàGestione e amministrazione
Tag
Gestione identità e accesso AWSInterfaccia a riga di comando AWSPolitiche IAM
Lingua
English
Joann Babak
posta 2 anni fa1344 visualizzazioni
1 Risposta
1
Risposta accettata

According the documentation, IAM Identities (users, user groups, and roles), this is not possible.

A user group cannot be identified as a Principal in a resource-based policy.

The role trust policy is a resource-based policy.

You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.

"Condition": {
       "StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
 }
profile pictureAWS
ESPERTO
kentrad
con risposta 2 anni fa
  • Joann Babak
    2 anni fa

    Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding "AWS": ["user","user2"] in the policy. Very strange why AWS would not make it possible to do the same with groups tho.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente