1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
According the documentation, IAM Identities (users, user groups, and roles), this is not possible.
A user group cannot be identified as a Principal in a resource-based policy.
The role trust policy is a resource-based policy.
You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.
"Condition": {
"StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
}
관련 콘텐츠
- AWS 공식업데이트됨 2년 전
Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding
"AWS": ["user","user2"]
in the policy. Very strange why AWS would not make it possible to do the same with groups tho.