- Newest
- Most votes
- Most comments
Not all resources and resource actions support the global condition key asw:ResourceTag.
Your actions of ListBucket, GetBucket* do not support it.
Refer to the Service Authorization Reference for what condition keys are supported: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html
I have a very similar but different use-case. My ABAC is working but different from yours. I have some ideas if you are interested.
I suggest you take a step back and implement one Identity Center Principal property on the S3 and get that working with a hard coded compare.
- Next step: add the Principal attribute to an S3 resource tag. My use case doesn't need this step but IMHO if you get one thing working it will all start making sense.
In my case I used one Principal property from the RFC and connected it to my S3 bucket(s). I added a "userType" from the RFC and gave it a value that was similar to other ones. It then showed up in Identity center as "User type". I was able to give it a value of "XX" and then able to add it to on IAM policy.
If interested I can give you a few more specifics but my recommendation is to start simple.
Note there are some things in your policy I don't understand how you created. I would start with the GUI not JSON when starting this migration. Maybe an array of resources makes sense when the array is "['*']" but why since resource: '*' means all values. I am truly confused what you really want it to do.
Relevant content
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thank you, you are right. When I switched from S3 to EC2 and
StartInstances
andStopInstances
actions it works as expected.Would you please be willing to further clear up how the values in the policy works? Like where to use
path
and why the Department tag is underenterprise.department
value?My understanding is that: dir: is applicable only when you use AD as identity source path: is applicable only when you use external IdP and SCIM user: can be used pass attributes to downstream SAML applications (and only user: attributes can be used, not path: and dir:)
department is put under enterprise I guess is just following the model in SCIM