2 Respuestas
- Más nuevo
- Más votos
- Más comentarios
0
I wonder if a Global condition would work in this situation. Something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/account_example_role"
].
"Condition": { "StringEquals": { "aws:ResourceOrgID": "${aws:PrincipalOrgID}" } }
}
]
}
0
IAM roles are linked to a particular AWS account an not to the whole organization. So you still need to mention each account's role arn in the root_example_role
policy
respondido hace un año
Hi, thank you for you answer, but I don't fully get it. I know that roles are bound to an account and not to an organization, but so are other resources too and I am still capable to grant permissions to a particular resource in an organization using conditions (es. PrincipalOrgID).
What's the difference with roles?
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 4 meses
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
Thank you for your answer, but it doesn't seems to work :(
I get this error:
And if I open the
Show more
menu I find this warning:It seems that ResourceOrgId (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceorgid) isn't available for every actions, but should work for sts actions.
This is the policy I tried: