- 新しい順
- 投票が多い順
- コメントが多い順
To adjust your policy to restrict access to a particular S3 bucket for users logging in through SSO by assuming a specific IAM role, while ensuring it doesn't restrict access for users logging in through other roles, you can use the ${aws:userid} variable. This variable allows you to create conditions based on the unique combination of the role and the user assuming the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::{bucket-name}", "arn:aws:s3:::{bucket-name}/*" ], "Condition": { "StringNotLike": { "aws:userid": "{role-id}:{user-name}" } } } ] }
In this policy, replace {bucket-name} with your bucket name, {role-id} with the role ID of the specific IAM role, and {user-name} with the user name or a wildcard pattern matching the users who assume this role. The aws:userid variable combines the role ID and the user's unique name (or session name) in the format role-id:user-name.
If this has resolved your issue or was helpful, accepting the answer would be greatly appreciated. Thank you!
We need to use StringNotLike here . But the initial problem was solved . Thanks
Hey Mina, in your suggested policy, I guess you'll need to change the effect to "Allow", to only allow the user with the role attached to access the S3 bucket, or change the condition to be "StringNotLike".
関連するコンテンツ
AWS公式更新しました 1年前
Your ARN looks to be off. Can you verify the role ARN? i.e. arn:aws:iam::1234567890:role/MY_ROLE