3 Answers
- Newest
- Most votes
- Most comments
2
Hi, look at section aws:PrincipalArn of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
It seems that your arn string is incorrect: 'sts' not needed.
The example of the doc is given below
IAM role – The request context contains the following value for condition key aws:PrincipalArn.
Do not specify the assumed role session ARN as a value for this condition key.
For more information about the assumed role session principal, see Role session principals.
arn:aws:iam::123456789012:role/role-name
0
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-sessions "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }
answered 6 months ago
0
HI Have you fixed it ? I have the same issue and tried booth solutions shown above but not ways "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" } arn:aws:iam::123456789012:role/role-name
Regards Sofiane
answered 4 days ago
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
I missed that. This answers my question why it doesn't work. However, I want to use the assumed-role arn to narrow down access to a specific user in the group, so just role arn won't do. Do you know of any other way I could narrow it down to a specific SSO user?