Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

How to assign role for a group of users

0

Hello,

I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need.

Any suggestions? is it even possible?

Tópicos
Segurança, identidade e conformidadeGestão e governança
Tags
AWS Identity and Access ManagementInterface da linha de comando da AWSPolíticas do IAM
Idioma
English
Joann Babak
feita há 2 anos1344 visualizações
1 Resposta
1
Resposta aceita

According the documentation, IAM Identities (users, user groups, and roles), this is not possible.

A user group cannot be identified as a Principal in a resource-based policy.

The role trust policy is a resource-based policy.

You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.

"Condition": {
       "StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
 }
profile pictureAWS
ESPECIALISTA
kentrad
respondido há 2 anos
  • Joann Babak
    há 2 anos

    Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding "AWS": ["user","user2"] in the policy. Very strange why AWS would not make it possible to do the same with groups tho.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante