Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM policy condition key PrincipalArn not working for AWS SSO users?

0

I have AWS SSO. There's a group, a permission set attached to the group, and an inline policy is attached to the permission set. I want to allow just one user of the group to do a certain action, here's a part of the inline policy that should do it:

Sid : "ECSExecuteCommand",
      "Effect" : "Allow",
      "Action" : "ecs:ExecuteCommand",
      "Resource" : "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name"
        }
      }

However, it doesn't work. I'm getting the following error:

An error occurred (AccessDeniedException) when calling the ExecuteCommand operation: User: arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name is not authorized to perform: ecs:ExecuteCommand on resource: arn:aws:ecs:us-east-1:aws-account-id:cluster/default because no identity-based policy allows the ecs:ExecuteCommand action.

Where am I wrong here?

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access ManagementAWS IAM IdentitätszentrumIAM-Richtlinien
Sprache
English
Anton
gefragt vor einem Jahr2472 Aufrufe
3 Antworten
2

Hi, look at section aws:PrincipalArn of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

It seems that your arn string is incorrect: 'sts' not needed.

The example of the doc is given below

IAM role – The request context contains the following value for condition key aws:PrincipalArn. 
Do not specify the assumed role session ARN as a value for this condition key. 
For more information about the assumed role session principal, see Role session principals.

arn:aws:iam::123456789012:role/role-name
profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor einem Jahr
profile picture
EXPERTE
Antonio_Lagrotteria
überprüft vor einem Jahr
  • Anton
    vor einem Jahr

    I missed that. This answers my question why it doesn't work. However, I want to use the assumed-role arn to narrow down access to a specific user in the group, so just role arn won't do. Do you know of any other way I could narrow it down to a specific SSO user?

0

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-sessions "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }

AWS
Zuraida_W
beantwortet vor 7 Monaten
0

HI Have you fixed it ? I have the same issue and tried booth solutions shown above but not ways "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" } arn:aws:iam::123456789012:role/role-name

Regards Sofiane

dzmoon
beantwortet vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt