Assume any role based on condition

375 Views Asked by Shelef At 06 August 2023 at 10:27

I want to have an IAM user that have a permission to assume any role that have access to any S3 bucket. I have the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

Currently my IAM user can assume any role, how can I limit the user so it can assume only the roles that have read/write access to any S3 bucket in any region

Original Q&A

There are 1 best solutions below

Dennis Traub On 07 August 2023 at 16:50

A way to do this is by tagging the respective roles, e.g. with the Key S3Access set to True, and then use a policy using the tag as a condition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeTaggedRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT_ID:role/*",
            "Condition": {
                "StringEquals": {"iam:ResourceTag/S3Access": "True"}
            }
        }
    ]
}

To learn more, check out Controlling access to and for IAM users and roles using tags in the AWS IAM user guide.

Assume any role based on condition

There are 1 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-IAM

Related Questions in ASSUME-ROLE

Trending Questions

Popular # Hahtags

Popular Questions