By using AWS re:Post, you agree to the Terms of Use
/How to assign role for a group of users/

How to assign role for a group of users

0

Hello,

I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need.

Any suggestions? is it even possible?

1 Answers
1
Accepted Answer

According the documentation, IAM Identities (users, user groups, and roles), this is not possible.

A user group cannot be identified as a Principal in a resource-based policy. 

The role trust policy is a resource-based policy.

You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.

"Condition": {
       "StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
 }
EXPERT
answered 2 months ago
  • Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding "AWS": ["user","user2"] in the policy. Very strange why AWS would not make it possible to do the same with groups tho.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions