问题
How can I allow all members of a Group to assume a Role in AWS IAM?
I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.
I want to achieve something like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::***:group/developer"
},
"Action": "sts:AssumeRole"
}
]
}
The idea is that all members of the group group/developer should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.
Is there a way to achieve this?
回答1:
Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "123",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/desired-role"
]
}
]
}
Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
回答2:
You cannot specify IAM groups as principals.
You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.
Per the documentation in AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
回答3:
As of December 2018 (no idea if they were correct at the time of writing) some statements expressed above about the limitations to groups sound misleading.
I'd like to add/clarify the accepted answer:
1) trusting sts:AssumeRole to ..:root user only POTENTIALLY allows any user to assume the role in question. Unless you also grant the permission to some user or group to assume the role, it will not be allowed.
2) if you, like me, cannot have the permissions specified in the group definition because of resources living in different stacks and/or circular dependencies, the code to define a policy associated with a group is:
DevelopersAccess:
Type: AWS::IAM::Policy
Properties:
Groups:
- !ImportValue another-stack-DevelopersGroupNameNotArn
PolicyName: DevelopersAccess
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- sts:AssumeRole
Resource:
- arn:aws:iam::123456789012:role/desired-role
Note that under Groups you have to list group names, not ARNs.
回答4:
This can be done in a different way. But, not sure whether this is what you want.
1) Create a policy using create-policy.
2) Attach the policy to the arn:aws:iam::***:role/developer role using attach-role-policy.
3) Create the intended Group using create-group.
4) Attach the specified managed policy to the specified Group using attach-group-policy.
Same can be achieved through AWS console or AWS SDK instead of using CLI. Please see Attaching a Policy to an IAM Group
This way, you don't have to add the roles individually to each member in the group.
来源:https://stackoverflow.com/questions/34922920/how-can-i-allow-a-group-to-assume-a-role