How do I use IAM policy variables with federated users?

2 minute read

When I use the GetFederationToken API to generate temporary credentials, the ${aws:userName} policy variable doesn't work.

Resolution

When using the GetFederationToken API, use the ${aws:userID} policy variable instead of the ${aws:userName} policy variable. This is because the variable ${aws:userName} isn't present if the principal is a federated user. For more information, see where you can use policy variables.

The following JSON IAM policy provides an example where the ${aws:userName} policy variable has been replaced with the ${aws:userID} policy variable:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"AllowListingOfUserFolder",
         "Action":[
            "s3:ListBucket"
         ],

         "Effect":"Allow",

         "Resource":[
            "arn:aws:s3:::TESTBUCKET"
         ],
         "Condition":{
            "StringLike":{
               "s3:prefix":[
                  "TESTBUCKET/${aws:userid}/*"
               ]
            }
         }
      },
      {
         "Sid":"AllowAllS3ActionsInUserFolder",
         "Action":[
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:DeleteObject"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::TESTBUCKET/${aws:userid}/*"
         ]
      }
   ]
}

The value for the aws:userid variable should be "ACCOUNTNUMBER:caller-specified-name".

When calling the GetFederationToken API, the Name parameter value must follow the guidelines established in GetFederationToken. For example, if you specify the friendly name Bob, the correct format is "123456789102:Bob". This names your session and allows access to the Amazon Simple Storage Service (Amazon S3) bucket with a matching prefix.

Note: This example assumes that the caller-specified name (friendly name) portion of the aws:userid variable is unique. A unique friendly name prevents the scenario where another user with the same friendly name is not granted access to resources specified in the JSON policy. For more information, see Unique identifiers.

Related information

Permissions for GetFederationToken

Token vending machine for identity registration - sample java web application

IAM policy elements: variables and tags

IAM identifiers

Topics

Security, Identity, & Compliance

Relevant content

IAM identity center in policy variables
Accepted Answer
bruno_datalytics
asked 9 months ago
How to use Okta username in IAM policy?
yash_ganthe
asked a year ago
AWS STS GetFederationToken + resource based policy
Accepted Answer
Thomas Laue
asked 9 months ago
Policy Condition for federated users
rePost-User-7546581
asked a year ago
IAM Policy - Allow execute-api on resource with variable
Accepted Answer
rePost-User-7022159
asked 6 months ago
How do I create Route 53 traffic policy records using the AWS CLI?
AWS OFFICIALUpdated 7 months ago
How do I create an IAM policy to control access to Amazon EC2 resources using tags?
AWS OFFICIALUpdated 2 years ago
How can I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?
AWS OFFICIALUpdated 10 months ago
What's the difference between an AWS Organizations service control policy and an IAM policy?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published a year ago