How do I use an IAM identity-based policy to restrict access to a specific IAM role session?

2 minute read

I want to use an identity-based policy to grant permissions to a specific AWS Identity and Access Management (IAM) role session.

Resolution

To create an IAM policy that allows access to a specific IAM role session, use the AWS global condition context key aws:userid.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

The aws:userid global condition key checks whether the unique ID of the principal that's making the request matches the unique ID specified in the IAM policy. For example, to allow an IAM role session to perform specific Amazon Elastic Compute Cloud (Amazon EC2) actions in your AWS account, create an IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowASpecificRoleSession",
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:RebootInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:userid": "AROAXXXXXXXXXXXXXXXXX:<role-session-name>"
        }
      }
    }
  ]
}

This IAM policy grants the Amazon EC2 instance access to the IAM role session in the aws:userid global condition key. Other role sessions can't perform Amazon EC2 actions.

To get the role ID for the IAM role, run the get-role AWS CLI command:

aws iam get-role --role-name <rolename>

You receive an output similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket/example-folder/*"
      ]
    }
  ]
}

In the output, check for the RoleId string. The role ID is used in the identity-based policy to scope the Amazon EC2 instance's access to the IAM role session.

Note: The aws:userid global condition key can be used in any type of IAM policy such as an identity-based policy, resource-based policy, and permission boundary policy. The values for aws:userid global condition key depend on what type of principal initiates the request. To determine the values for different types of principals, see Principal key values.

Related information

Can I restrict the access of IAM Identity to specific Amazon EC2 resources?

How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?

Topics

Security, Identity, & Compliance

Relevant content

IAM role/policy specific to a single lambda
Aman
asked 2 years ago
deny access to a specific idp provider while creating an iam role
dsids
asked 3 years ago
IAM Policy Condition with Role Session Name
kalmesh
asked 2 years ago
IAM role/policy restrictions
rePost-User-1680684
asked 2 years ago
IAM Policy that allows only access to "Switch Role"
Bicchi
asked 3 years ago
How can I restrict an IAM user or role to specific attributes in a DynamoDB table?
AWS OFFICIALUpdated 3 years ago
How do I assume an IAM role using the AWS CLI?
AWS OFFICIALUpdated 9 months ago
How can I attach an IAM managed policy to an IAM role in CloudFormation?
AWS OFFICIALUpdated 8 months ago
How do I use the IAM roles for service accounts (IRSA) feature with Amazon EKS to restrict access to an Amazon S3 bucket?
AWS OFFICIALUpdated 3 years ago
Understanding AWS's Handling of Deleted IAM Roles in Policies
EXPERT
Sercast
published 9 months ago