By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM policy condition key PrincipalArn not working for AWS SSO users?

0

I have AWS SSO. There's a group, a permission set attached to the group, and an inline policy is attached to the permission set. I want to allow just one user of the group to do a certain action, here's a part of the inline policy that should do it:

Sid : "ECSExecuteCommand",
      "Effect" : "Allow",
      "Action" : "ecs:ExecuteCommand",
      "Resource" : "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name"
        }
      }

However, it doesn't work. I'm getting the following error:

An error occurred (AccessDeniedException) when calling the ExecuteCommand operation: User: arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name is not authorized to perform: ecs:ExecuteCommand on resource: arn:aws:ecs:us-east-1:aws-account-id:cluster/default because no identity-based policy allows the ecs:ExecuteCommand action.

Where am I wrong here?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS IAM Identity CenterIAM Policies
Language
English
Anton
asked a year ago2176 views
3 Answers
2

Hi, look at section aws:PrincipalArn of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

It seems that your arn string is incorrect: 'sts' not needed.

The example of the doc is given below

IAM role – The request context contains the following value for condition key aws:PrincipalArn. 
Do not specify the assumed role session ARN as a value for this condition key. 
For more information about the assumed role session principal, see Role session principals.

arn:aws:iam::123456789012:role/role-name
profile pictureAWS
EXPERT
Didier_Durand
answered a year ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed a year ago
  • Anton
    a year ago

    I missed that. This answers my question why it doesn't work. However, I want to use the assumed-role arn to narrow down access to a specific user in the group, so just role arn won't do. Do you know of any other way I could narrow it down to a specific SSO user?

0

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-sessions "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }

AWS
Zuraida_W
answered 6 months ago
0

HI Have you fixed it ? I have the same issue and tried booth solutions shown above but not ways "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" } arn:aws:iam::123456789012:role/role-name

Regards Sofiane

dzmoon
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content