1 Answer
- Newest
- Most votes
- Most comments
0
I would use tags on the principals instead of group membership with a bucket policy like this:
{
"Id": "Policy1670278952233",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1670278950745",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/role": "admin"
}
},
"Principal": "*"
}
]
}
Relevant content
- asked 7 months ago
- Accepted Answerasked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 6 months ago
Thank you for the response. This was helpful. This didn't work exactly as is, but a few small changes got it working.
Changes:
Resulting policy:
One question about this approach I have. Since the principle is set to
"*"
will users in other accounts who have the correct tag be allowed to access the bucket?That's a good point. Add the ARN to the Principal to limit to users with your account.