- Newest
- Most votes
- Most comments
No, when a user assumes multiple IAM roles with distinct S3 permissions, the permissions are not automatically aggregated. The permissions associated with each assumed role are separate, and the user will have the permissions of the currently assumed role at any given time.If you need a user to have access to resources covered by multiple roles, you may need to manage and coordinate the role assumptions accordingly. You can check the aws documentation "https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html" on how to manage this
Hope it clarifies and if does I would appreciate answer to be accepted so that community can benefit for clarity, thanks ;)
Hi
When using Cognito to federate authenticated users into IAM roles, you trade a Cognito token (which confirms your user has been authenticated) for a set of temporary security credentials (which are for a specific IAM role). This means that each time your Cognito user signs in, they will only have permissions which are associated with a specific IAM role, and not all of the aggregated permissions across the multiple IAM roles which the user can assume.
You can find additional details here on how the authentication flow works for federated users, and here for how IAM roles are created and used in Identity pools for your federated users.
If you have any additional questions regarding this or another issue, please feel free to create a support case via the AWS Support Center for the account which you are experiencing the issue in.
Thank you for your reply.
I am seeking to implement access management for S3 objects in a manner similar to Linux file-based permissions.
My setup involves synchronizing Linux file-based permissions with S3, where folders are represented as S3 objects. Additionally, IAM roles are synchronized with Active Directory (AD) groups, so users are assigned roles based on their group memberships. I require a dynamic solution to manage access to a potentially large number of folders with different AD groups attached.
For instance, if folder1 has group1 attached and folder2 (a child of folder1) has group2, then only users in both group1 and group2 can access folder2.
Similarly, I aim to permit access to S3 child objects (e.g., folder2) only if the user can assume both roles (role1 and role2).
My objective is to grant access to child objects based on my memberships in multiple AD groups (roles), mirroring the functionality of Linux file permissions with groups.
In summary, I am seeking a dynamic access management solution for S3 objects that takes into account my group memberships (roles) and grants access to child objects based on the combination of roles I belong to.
Additionally, I am curious if this objective can be achieved using AWS DataZone or any other AWS services?
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
Thank you for your reply.
I am seeking to implement access management for S3 objects in a manner similar to Linux file-based permissions.
My setup involves synchronizing Linux file-based permissions with S3, where folders are represented as S3 objects. Additionally, IAM roles are synchronized with Active Directory (AD) groups, so users are assigned roles based on their group memberships. I require a dynamic solution to manage access to a potentially large number of folders with different AD groups attached.
For instance, if folder1 has group1 attached and folder2 (a child of folder1) has group2, then only users in both group1 and group2 can access folder2.
Similarly, I aim to permit access to S3 child objects (e.g., folder2) only if the user can assume both roles (role1 and role2).
My objective is to grant access to child objects based on my memberships in multiple AD groups (roles), mirroring the functionality of Linux file permissions with groups.
In summary, I am seeking a dynamic access management solution for S3 objects that takes into account my group memberships (roles) and grants access to child objects based on the combination of roles I belong to.
Additionally, I am curious if this objective can be achieved using AWS DataZone or any other AWS services?