By using AWS re:Post, you agree to the Terms of Use

Resource Policy Condition to restrict access


Hi all, I have a resource policy that I am trying to write a condition for. The policy denies all actions but I want to grant permissions to role that are assumed with Administrator identity. Using SSO, whenever the role is assumed, the identity is different for every user & so I am not sure how can I restrict access based on that?

"Condition": {
                "ArnNotEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::012345678912:role/SOMEASSUMEDROLE"

That SOMEASSUMEDROLE part is what I am not figuring out.

Open to suggestions if there's a better way of doing this. Thanks.

1 Answers

Hello there, 

I understand that you are trying to write a condition for a resource policy and that you are trying to grant permissions to a role that is assumed with an Administrator Identity.

In order to achieve this, make sure you have created your IAM roles, see reference [1].

Since you are using a Amazon Resource Name (ARN) condition, please refer to the documentation on reference [2] for ARN condition operators.

SOMEASSUMEDROLE is the name of the AWS Identity and Access Management (IAM) role you are trying to assume therefore you can refer to reference [3] for providing access to IAM users.

Please also see reference [4] for reference identifiers.






answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions