Resource Policy Condition to restrict access

Question

Hi all, I have a resource policy that I am trying to write a condition for. The policy denies all actions but I want to grant permissions to role that are assumed with Administrator identity. 
Using SSO, whenever the role is assumed, the identity is different for every user & so I am not sure how can I restrict access based on that?
```
"Condition": {
                "ArnNotEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::012345678912:role/SOMEASSUMEDROLE"
                }
```
That SOMEASSUMEDROLE part is what I am not figuring out.

Open to suggestions if there's a better way of doing this. Thanks.

Answer

Hello there,

I understand that you are trying to write a condition for a resource policy and that you are trying to grant permissions to a role that is assumed with an Administrator Identity.

In order to achieve this, make sure you have created your IAM roles, see reference [1].

Since you are using a Amazon Resource Name (ARN) condition, please refer to the documentation on reference [2] for ARN condition operators.

SOMEASSUMEDROLE is the name of the AWS Identity and Access Management (IAM) role you are trying to assume therefore you can refer to reference [3] for providing access to IAM users.

Please also see reference [4] for reference identifiers.

References:

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html

[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html

[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_aws-accounts.html

[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html

Resource Policy Condition to restrict access

Relevant content