It is possible to set multiple value in a aws:PrincipalTag for IAM policy ?
Currently, I have federated users with a project attribute in their JWT and
depending on this value I can give access to a specific "folders" in my s3 bucket.
For a JWT with following value:
"https://aws.amazon.com/tags": {
"principal_tags": {
"project": [
"foo"
]
}
}
and my AWS policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TagBasedAccess",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::myawesomebucket",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:PrincipalTag/project}/*"
}
}
}
]
}
It grant user access to arn:aws:s3:::myawesomebucket/foo/ with success.
Now I will make it work for multiple values in the project attribute (give access to multiple s3 "folder"). But I have no idea how to perform this.
EDIT:
in AWS documentation (AWS doc):
you can include multiple values in a single tag with a custom separator. In this example, you could attach the
team = Engineering:QAtag to Zhang. To control access to engineers in this example using the team tag, you must create a policy that allows for every configuration that might includeEngineering, includingEngineering:QA
but they dont say how to perform this...
There is an AWS document relating to this question: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions
Direct quote from the document:
Please refer the original documents for more information. You might want to know, for example, how condition operators and condition blocks work in this context.