How can I allow a Group to assume a Role?
Amazon Web-ServicesAmazon IamIdentity ManagementAmazon Web-Services Problem Overview
How can I allow all members of a Group to assume a Role in AWS IAM?
I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.
I want to achieve something like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::***:group/developer"
},
"Action": "sts:AssumeRole"
}
]
}
The idea is that all members of the group group/developer
should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.
Is there a way to achieve this?
Amazon Web-Services Solutions
Solution 1 - Amazon Web-Services
Attach a policy to the Group that grants permission to call sts:AssumeRole
on the desired Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "123",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/desired-role"
]
}
]
}
Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole
permissions (above) to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
Solution 2 - Amazon Web-Services
You cannot specify IAM groups as principals.
You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.
Per the documentation in AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
Solution 3 - Amazon Web-Services
As of December 2018 (no idea if they were correct at the time of writing) some statements expressed above about the limitations to groups sound misleading.
I'd like to add/clarify the accepted answer:
-
trusting
sts:AssumeRole
to..:root
user only POTENTIALLY allows any user to assume the role in question. Unless you also grant the permission to some user or group to assume the role, it will not be allowed. -
if you, like me, cannot have the permissions specified in the group definition because of resources living in different stacks and/or circular dependencies, the code to define a policy associated with a group is:
DevelopersAccess: Type: AWS::IAM::Policy Properties: Groups: - !ImportValue another-stack-DevelopersGroupNameNotArn PolicyName: DevelopersAccess PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Resource: - arn:aws:iam::123456789012:role/desired-role
Note that under Groups
you have to list group names, not ARNs.
Solution 4 - Amazon Web-Services
This can be done in a different way. But, not sure whether this is what you want.
- Create a policy using create-policy.
- Attach the policy to the
arn:aws:iam::***:role/developer
role using attach-role-policy. - Create the intended
Group
using create-group. - Attach the specified managed policy to the specified Group using attach-group-policy.
Same can be achieved through AWS console or AWS SDK instead of using CLI. Please see Attaching a Policy to an IAM Group
This way, you don't have to add the roles individually to each member in the group.