Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to assign role for a group of users

0

Hello,

I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need.

Any suggestions? is it even possible?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceIAM Policies
Language
English
asked 3 years ago2.1K views
1 Answer
1
Accepted Answer

According the documentation, IAM Identities (users, user groups, and roles), this is not possible.

A user group cannot be identified as a Principal in a resource-based policy.

The role trust policy is a resource-based policy.

You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.

"Condition": {
       "StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
 }
AWS
EXPERT
answered 3 years ago
EXPERT
reviewed a year ago
  • Joann Babak
    3 years ago

    Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding "AWS": ["user","user2"] in the policy. Very strange why AWS would not make it possible to do the same with groups tho.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content