I'm trying to set up a policy for a Group ("TheGroup") that when attached to a User would allow that user to Create new Users AND assign them to another specific group ("TheSubGroup").
I believe I have the CreateUser part mostly done but I'm not sure of syntax for how to also allow this user to AddUserToGroup("TheSubGroup") in the second part of the policy below.
Any thoughts?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageUsersPermissions",
"Effect": "Allow",
"Action": [
"iam:ChangePasword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:DeleteUser",
"iam:UpdateAccessKey",
"iam:ListAttachedUserPolicies",
"iam:ListPolicies",
"iam:ListUserPolicies",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:GetPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "LimitedGroupAssignment",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::1234567890:group/TheSubGroup"
]
}
}
}
]
}
The
AddUserToGroupaction applies to group resources. Try targeting the group resource: