How can I allow a Group to assume a Role?

You cannot specify IAM groups as principals.

You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.

Per the documentation in AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/desired-role"
            ]
        }
    ]
}

Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

How can I allow a Group to assume a Role?

Tags:

Amazon Web Services

Amazon Iam

Identity Management

Related

Recent Posts