TechQA.

Assume any role based on condition

375 views Asked by At

I want to have an IAM user that have a permission to assume any role that have access to any S3 bucket. I have the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

Currently my IAM user can assume any role, how can I limit the user so it can assume only the roles that have read/write access to any S3 bucket in any region

amazon-web-services amazon-s3 amazon-iam assume-role
Original Q&A
1

There are 1 answers

0
Dennis Traub On

A way to do this is by tagging the respective roles, e.g. with the Key S3Access set to True, and then use a policy using the tag as a condition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeTaggedRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_ID:role/*",
            "Condition": {
                "StringEquals": {"iam:ResourceTag/S3Access": "True"}
            }
        }
    ]
}

To learn more, check out Controlling access to and for IAM users and roles using tags in the AWS IAM user guide.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-IAM

Related Questions in ASSUME-ROLE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions