使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

IAM policy condition key PrincipalArn not working for AWS SSO users?

0

I have AWS SSO. There's a group, a permission set attached to the group, and an inline policy is attached to the permission set. I want to allow just one user of the group to do a certain action, here's a part of the inline policy that should do it:

Sid : "ECSExecuteCommand",
      "Effect" : "Allow",
      "Action" : "ecs:ExecuteCommand",
      "Resource" : "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalArn": "arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name"
        }
      }

However, it doesn't work. I'm getting the following error:

An error occurred (AccessDeniedException) when calling the ExecuteCommand operation: User: arn:aws:sts::aws-account-id-xxx:assumed-role/AWSReservedSSO_Developers_role-id-xxx/user-name is not authorized to perform: ecs:ExecuteCommand on resource: arn:aws:ecs:us-east-1:aws-account-id:cluster/default because no identity-based policy allows the ecs:ExecuteCommand action.

Where am I wrong here?

主題
安全性、身分識別與合規
標籤
AWS Identity and Access ManagementAWS IAM Identity CenterIAM 政策
語言
English
Anton
已提問 1 年前檢視次數 2483 次
3 個答案
2

Hi, look at section aws:PrincipalArn of https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

It seems that your arn string is incorrect: 'sts' not needed.

The example of the doc is given below

IAM role – The request context contains the following value for condition key aws:PrincipalArn. 
Do not specify the assumed role session ARN as a value for this condition key. 
For more information about the assumed role session principal, see Role session principals.

arn:aws:iam::123456789012:role/role-name
profile pictureAWS
專家
Didier_Durand
已回答 1 年前
profile picture
專家
Antonio_Lagrotteria
已審閱 1 年前
  • Anton
    1 年前

    I missed that. This answers my question why it doesn't work. However, I want to use the assumed-role arn to narrow down access to a specific user in the group, so just role arn won't do. Do you know of any other way I could narrow it down to a specific SSO user?

0

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-sessions "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" }

AWS
Zuraida_W
已回答 8 個月前
0

HI Have you fixed it ? I have the same issue and tried booth solutions shown above but not ways "Principal": { "AWS": "arn:aws:sts::AWS-account-ID:assumed-role/role-name/role-session-name" } arn:aws:iam::123456789012:role/role-name

Regards Sofiane

dzmoon
已回答 1 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容