AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

IAM policy condition key PrincipalArn not working for AWS SSO users?

0

I have AWS SSO. There's a group, a permission set attached to the group, and an inline policy is attached to the permission set. I want to allow just one user of the group to do a certain action, here's a part of the inline policy that should do it:

Sid : "ECSExecuteCommand",
      "Effect" : "Allow",
      "Action" : "ecs:ExecuteCommand",
      "Resource" : "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name"
        }
      }

However, it doesn't work. I'm getting the following error:

An error occurred (AccessDeniedException) when calling the ExecuteCommand operation: User: arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name is not authorized to perform: ecs:ExecuteCommand on resource: arn:aws:ecs:us-east-1:aws-account-id:cluster/default because no identity-based policy allows the ecs:ExecuteCommand action.

Where am I wrong here?

주제
보안, 신원 및 규정 준수
태그
AWS 자격 증명 및 액세스 관리AWS IAM 자격 증명 센터IAM 정책
언어
English
Anton
질문됨 일 년 전2408회 조회
3개 답변
2

Hi, look at section aws:PrincipalArn of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

It seems that your arn string is incorrect: 'sts' not needed.

The example of the doc is given below

IAM role – The request context contains the following value for condition key aws:PrincipalArn. 
Do not specify the assumed role session ARN as a value for this condition key. 
For more information about the assumed role session principal, see Role session principals.

arn:aws:iam::123456789012:role/role-name
profile pictureAWS
전문가
Didier_Durand
답변함 일 년 전
profile picture
전문가
Antonio_Lagrotteria
검토됨 일 년 전
  • Anton
    일 년 전

    I missed that. This answers my question why it doesn't work. However, I want to use the assumed-role arn to narrow down access to a specific user in the group, so just role arn won't do. Do you know of any other way I could narrow it down to a specific SSO user?

0

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-sessions "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }

AWS
Zuraida_W
답변함 7달 전
0

HI Have you fixed it ? I have the same issue and tried booth solutions shown above but not ways "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" } arn:aws:iam::123456789012:role/role-name

Regards Sofiane

dzmoon
답변함 한 달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠