How can I allow a Group to assume a Role?
How can I allow all members of a Group to assume a Role in AWS IAM?
I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.
I want to achieve something like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::***:group/developer"
},
"Action": "sts:AssumeRole"
}
]
}
The idea is that all members of the group group/developer
should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.
Is there a way to achieve this?
Attach a policy to the Group that grants permission to call sts:AssumeRole
on the desired Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "123",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/desired-role"
]
}
]
}
Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole
permissions (above) to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
You cannot specify IAM groups as principals.
You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.
Per the documentation in AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html