How to assign role for a group of users

0

Hello,

I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need.

Any suggestions? is it even possible?

1 Answer
1
Accepted Answer

According the documentation, IAM Identities (users, user groups, and roles), this is not possible.

A user group cannot be identified as a Principal in a resource-based policy. 

The role trust policy is a resource-based policy.

You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.

"Condition": {
       "StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
 }
profile pictureAWS
EXPERT
kentrad
answered 2 years ago
profile picture
EXPERT
reviewed a month ago
  • Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding "AWS": ["user","user2"] in the policy. Very strange why AWS would not make it possible to do the same with groups tho.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions