How to assign role for a group of users
0
Hello,
I'm writing terraform manifest, i create roles,groups, users, and assigned users to those groups, now i want to assign roles to groups, i was not able to find anything about that by googling, except this https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/examples/iam-group-with-assumable-roles-policy, which apparently doesn't do what i need.
Any suggestions? is it even possible?
asked 2 months ago4 views
1 Answers
1
Accepted Answer
According the documentation, IAM Identities (users, user groups, and roles), this is not possible.
A user group cannot be identified as a Principal in a resource-based policy. The role trust policy is a resource-based policy.
You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.
"Condition": {
"StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
}
Relevant questions
AWS Amplify and AWS Cognito: Assignment of users to multiple roles
asked 6 months agoAssume Role for SSO Users
asked 5 months agoHow to assign role for a group of users
Accepted Answerasked 2 months agoCan I register multiple users in access control?
asked 3 months agoIAM users/roles/groups policies reports
Accepted Answerasked 5 months agoManage identities in AWS SSO - how to create Users via CLI or API ?
asked 6 months agoUnable to create Users, Groups, or OUs
asked a year agoAssign Groups From Trusted Domain to IAM Role Not Working
asked 3 years agoHow to use IAM users, groups and roles with SSO
asked 2 days agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked a month ago
Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding
"AWS": ["user","user2"]in the policy. Very strange why AWS would not make it possible to do the same with groups tho.