1 個回答
- 最新
- 最多得票
- 最多評論
1
According the documentation, IAM Identities (users, user groups, and roles), this is not possible.
A user group cannot be identified as a Principal in a resource-based policy.
The role trust policy is a resource-based policy.
You can achieve something similar using a condition in the trust policy that compares the tag on the role to the tag on the user.
"Condition": {
"StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
}
相關內容
- AWS 官方已更新 2 年前
Thank you, for the ones who have the same problem, there is a work - around, you can just define multiple users in the role trust policy, adding
"AWS": ["user","user2"]
in the policy. Very strange why AWS would not make it possible to do the same with groups tho.