- Newest
- Most votes
- Most comments
To adjust your policy to restrict access to a particular S3 bucket for users logging in through SSO by assuming a specific IAM role, while ensuring it doesn't restrict access for users logging in through other roles, you can use the ${aws:userid} variable. This variable allows you to create conditions based on the unique combination of the role and the user assuming the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::{bucket-name}", "arn:aws:s3:::{bucket-name}/*" ], "Condition": { "StringNotLike": { "aws:userid": "{role-id}:{user-name}" } } } ] }
In this policy, replace {bucket-name} with your bucket name, {role-id} with the role ID of the specific IAM role, and {user-name} with the user name or a wildcard pattern matching the users who assume this role. The aws:userid variable combines the role ID and the user's unique name (or session name) in the format role-id:user-name.
If this has resolved your issue or was helpful, accepting the answer would be greatly appreciated. Thank you!
We need to use StringNotLike here . But the initial problem was solved . Thanks
Hey Mina, in your suggested policy, I guess you'll need to change the effect to "Allow", to only allow the user with the role attached to access the S3 bucket, or change the condition to be "StringNotLike".
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- asked 10 months ago
AWS OFFICIALUpdated 7 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Your ARN looks to be off. Can you verify the role ARN? i.e. arn:aws:iam::1234567890:role/MY_ROLE