Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM policy condition key PrincipalArn not working for AWS SSO users?

0

I have AWS SSO. There's a group, a permission set attached to the group, and an inline policy is attached to the permission set. I want to allow just one user of the group to do a certain action, here's a part of the inline policy that should do it:

Sid : "ECSExecuteCommand",
      "Effect" : "Allow",
      "Action" : "ecs:ExecuteCommand",
      "Resource" : "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name"
        }
      }

However, it doesn't work. I'm getting the following error:

An error occurred (AccessDeniedException) when calling the ExecuteCommand operation: User: arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name is not authorized to perform: ecs:ExecuteCommand on resource: arn:aws:ecs:us-east-1:aws-account-id:cluster/default because no identity-based policy allows the ecs:ExecuteCommand action.

Where am I wrong here?

  • Suddhasattwa Mukherjee
    a year ago

    I know it is an older thread. But in case anyone also trying to explore this option I would suggest to follow this approach (Restrict access when user is using cross account switch role )

    "Condition": { "StringEquals": { "aws:userid": <value> } }

    You can get the user id from command aws sts get-caller-identity

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity CenterAWS Identity and Access ManagementIAM Policies
Language
English
asked 3 years ago6.9K views
4 Answers
2

Hi, look at section aws:PrincipalArn of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

It seems that your arn string is incorrect: 'sts' not needed.

The example of the doc is given below

IAM role – The request context contains the following value for condition key aws:PrincipalArn. 
Do not specify the assumed role session ARN as a value for this condition key. 
For more information about the assumed role session principal, see Role session principals.

arn:aws:iam::123456789012:role/role-name
EXPERT
answered 3 years ago
EXPERT
reviewed 3 years ago
  • Anton
    3 years ago

    I missed that. This answers my question why it doesn't work. However, I want to use the assumed-role arn to narrow down access to a specific user in the group, so just role arn won't do. Do you know of any other way I could narrow it down to a specific SSO user?

0

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-sessions "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }

AWS
answered 3 years ago
0

HI Have you fixed it ? I have the same issue and tried booth solutions shown above but not ways "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" } arn:aws:iam::123456789012:role/role-name

Regards Sofiane

answered 2 years ago
0

Just in case, someone else have the same prob even if this is an old post.

In a similar setup, i have the same use case. I have the following condition worked for my use case. "Condition": { "StringLike": { "aws:PrincipalArn": "arn:aws:iam:::role/aws-reserved/sso.amazonaws.com//AWSReservedSSO_*/some_user_here" } }

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content