How can I allow a Group to assume a Role?

Asked 21/1, 2016 at 11:44 Answered 31/12, 2018 at 17:37

Solved amazon-web-services amazon-iam identity-management

How can I allow all members of a Group to assume a Role in AWS IAM?

I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.

I want to achieve something like below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::***:group/developer"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The idea is that all members of the group group/developer should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.

Is there a way to achieve this?

Apprehend answered 21/1, 2016 at 11:44 Comment(2)

What role do you want them to assume? Can you provide a sample ARN? – Continuity 21/1, 2016 at 16:13

The role is named developer as-well: so the ARN would be something like arn:aws:iam::***:role/developer – Apprehend 21/1, 2016 at 16:21

Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/desired-role"
            ]
        }
    ]
}

Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Ertha answered 22/1, 2016 at 9:27 Comment(6)

that's the way to do, but the trust policy trusts all users in the account, not specifically the ones in the IAM group. This is only controlled by the resource level of the policy, but I think Floo0 wants to specify "only the users in the group" in the trust relationship, which is not possible :( – Cenacle 22/1, 2016 at 10:4

@John Rotenstein, thanks for the solution (+1). After digging some deeper i found this solution as well. As Tom points our this solution "disables" the double-security for assuming roles. Especially for Cross-Account Role-Assuming i think this is a bit "risky"... – Apprehend 22/1, 2016 at 11:24

You will have to change the principal to use the ARN of the group. I guess he just copied an example with :root user allowed. – Lachellelaches 5/3, 2018 at 3:27

@Lachellelaches Incorrect; as stated in the question, groups are not valid principals for IAM policies. – Brace 11/6, 2018 at 15:44

@John Rotenstein, thanks for the solution (+1). We are now using AWS STS Based on your recomendation. – Daveta 26/2, 2020 at 23:32

Hey Josh, I'm having trouble getting this to work and asked in a separate question if you kindly have a moment to provide some clarity – Occasional 10/11, 2020 at 1:37

You cannot specify IAM groups as principals.

You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.

Per the documentation in AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Gib answered 10/5, 2018 at 21:9 Comment(4)

What's puzzling is the docs for assume-role mention "it is best practice not to grant permissions directly to an individual user. For easier management, we recommend assigning policies and granting permissions to IAM groups and then making the users members of the appropriate groups." But it isn't actually possible to follow their guidance? – Greenness 28/6, 2018 at 11:37

Longstanding issue in the AWS discussion forum. – Beadsman 3/4, 2020 at 15:42

@Dominik: It seems the page you link to has been archived since. I tried to find that page in the new AWS re:Post to update your link, but no luck. Any chance you dig out the migrated page ? – Sapodilla 9/6 at 10:10

@Sapodilla Sorry, couldn't find it there quickly, too. How about asking this question there again? – Beadsman 10/6 at 8:51

As of December 2018 (no idea if they were correct at the time of writing) some statements expressed above about the limitations to groups sound misleading.

I'd like to add/clarify the accepted answer:

1) trusting sts:AssumeRole to ..:root user only POTENTIALLY allows any user to assume the role in question. Unless you also grant the permission to some user or group to assume the role, it will not be allowed.

2) if you, like me, cannot have the permissions specified in the group definition because of resources living in different stacks and/or circular dependencies, the code to define a policy associated with a group is:

DevelopersAccess:
    Type: AWS::IAM::Policy
    Properties:
    Groups:
        - !ImportValue another-stack-DevelopersGroupNameNotArn
    PolicyName: DevelopersAccess
    PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
            Action:
            - sts:AssumeRole
            Resource:
            - arn:aws:iam::123456789012:role/desired-role

Note that under Groups you have to list group names, not ARNs.

Ombudsman answered 31/12, 2018 at 17:37 Comment(1)

Thank you for further clarification. From that answer, I understood that "root" was the name of the group, this is explanation should be added to the accepted answer. – Candlewick 7/5, 2019 at 21:49

-2

This can be done in a different way. But, not sure whether this is what you want.

1) Create a policy using create-policy.
2) Attach the policy to the arn:aws:iam::***:role/developer role using attach-role-policy.
3) Create the intended Group using create-group.
4) Attach the specified managed policy to the specified Group using attach-group-policy.

Same can be achieved through AWS console or AWS SDK instead of using CLI. Please see Attaching a Policy to an IAM Group

This way, you don't have to add the roles individually to each member in the group.

Orissa answered 21/1, 2016 at 16:42 Comment(1)

This solution is not what the original question is asking. it does not handle assuming a role at all and just grants the permission to the original group. – Petronilapetronilla 10/12, 2022 at 0:21

Recommended topics

Hot tags