How do I use IAM policy variables with federated users?

2 minute read
0

When I use the GetFederationToken API to generate temporary credentials, the ${aws:userName} policy variable doesn't work.

Resolution

When the Principal element is a federated user, the ${aws:userName} AWS Identity and Access Management (IAM) policy variable isn't in the request. Instead, use the ${aws:userID} policy variable with GetFederationToken API calls. For more information, see Where you can use policy variables.

In the following JSON policy example, the ${aws:userName} policy variable is replaced with the ${aws:userID} policy variable:

{   "Version":"2012-10-17",
   "Statement":[
      {
         "Sid":"AllowListingOfUserFolder",
         "Action":[
            "s3:ListBucket"
         ],

         "Effect":"Allow",

         "Resource":[
            "arn:aws:s3:::TESTBUCKET"
         ],
         "Condition":{
            "StringLike":{
               "s3:prefix":[
                  "TESTBUCKET/${aws:userid}/*"
               ]
            }
         }
      },
      {
         "Sid":"AllowAllS3ActionsInUserFolder",
         "Action":[
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion",
            "s3:DeleteObject"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::TESTBUCKET/${aws:userid}/*"
         ]
      }
   ]
}

The value for the aws:userid variable must be ACCOUNTNUMBER:caller-specified-name.

The Name parameter value for GetFederationToken API calls must follow the GetFederationToken guidelines. For example, if you specify the friendly name Bob, then the correct format is 123456789102:Bob. This format names your session and allows access to the Amazon Simple Storage Service (Amazon S3) bucket that has a matched prefix.

Note: The preceding example assumes that the caller-specified friendly name of the aws:userid variable is a unique identifier. A unique friendly name doesn't allow another user with the same friendly name access to resources that are specified in the JSON policy. 

Related information

Permissions for GetFederationToken

IAM policy elements: variables and tags

IAM identifiers

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago