- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
To adjust your policy to restrict access to a particular S3 bucket for users logging in through SSO by assuming a specific IAM role, while ensuring it doesn't restrict access for users logging in through other roles, you can use the ${aws:userid} variable. This variable allows you to create conditions based on the unique combination of the role and the user assuming the role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::{bucket-name}", "arn:aws:s3:::{bucket-name}/*" ], "Condition": { "StringNotLike": { "aws:userid": "{role-id}:{user-name}" } } } ] }
In this policy, replace {bucket-name} with your bucket name, {role-id} with the role ID of the specific IAM role, and {user-name} with the user name or a wildcard pattern matching the users who assume this role. The aws:userid variable combines the role ID and the user's unique name (or session name) in the format role-id:user-name.
If this has resolved your issue or was helpful, accepting the answer would be greatly appreciated. Thank you!
We need to use StringNotLike here . But the initial problem was solved . Thanks
Hey Mina, in your suggested policy, I guess you'll need to change the effect to "Allow", to only allow the user with the role attached to access the S3 bucket, or change the condition to be "StringNotLike".
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 2 Jahren- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
Your ARN looks to be off. Can you verify the role ARN? i.e. arn:aws:iam::1234567890:role/MY_ROLE