Root user vs account ID in resource policy
0
When referencing a principal in a resource policy (e.g. S3 bucket policy), it can be specified as either of the following:
"Principal": { "AWS": [ "arn:aws:iam::111122223333:root" ] }
"Principal": { "AWS": [ "111122223333" ] }
From what I can tell, these are equivalent. Is there any hidden difference between them?
feita há 10 meses663 visualizações
1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
0
Hi Shahar, it is exact same thing
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
AWS account principals
You can specify AWS account identifiers in the Principal element of a resource-based
policy or in condition keys that support principals. This delegates authority to the
account. When you allow access to a different account, an administrator in that account
must then grant access to an identity (IAM user or role) in that account. When you specify an
AWS account, you can use the account ARN (arn:aws:iam::account-ID:root), or a shortened form t
hat consists of the "AWS": prefix followed by the account ID.
For example, given an account ID of 123456789012, you can use either of the following methods
to specify that account in the Principal element:
"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
"Principal": { "AWS": "123456789012" }
The account ARN and the shortened account ID behave the same way. Both delegate permissions
to the account. Using the account ARN in the Principal element does not limit permissions to
only the root user of the account.
Best, Didier
Conteúdo relevante
AWS OFICIALAtualizada há 2 anos- AWS OFICIALAtualizada há 7 meses