Geek Answers Handbook

How can I let the group take on the role?

How can I allow all team members to take on a role in AWS IAM?

I tried using the following statement, but as indicated in the AWS IAM Core Element , a Group cannot be a Principal.

I want to achieve something like below:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::***:group/developer" }, "Action": "sts:AssumeRole" } ] }

The idea is that all members of the group/developer should be able to take on the role. The goal is that I should be saved from having to list each member in a separate group.

Is there any way to achieve this?

+6
source share
2 answers

It can be done differently. But, not sure if this is what you want. 1) Create a policy using create-policy .
2) Attach the policy to the arn:aws:iam::***:role/developer using attach-role-policy .
3) Create the intended Group using create-group .
4) Attach the specified managed policy to the specified group using attach-group-policy .

The same can be achieved using the AWS console or AWS SDK instead of using the CLI. See Join a policy to an IAM group.

Thus, you do not need to add roles separately for each member of the group.

+1
source

Attach a policy to a group that grants permission to call sts:AssumeRole for the desired role:

 { "Version": "2012-10-17", "Statement": [ { "Sid": "123", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::123456789012:role/desired-role" ] } ] }

Also, attach the Trust Policy for the role . The policy example (below) trusts any user in the account, but sts:AssumeRole permissions (above) will also be required to take on the role.

 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" } ] }
+1
source

More articles:


All Articles