Reputation: 10610
Cannot apply AWS policy to group, only to user
I am trying to set up permissions on a CloudSearch domain.
This policy works:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::55555555:user/SearchUser"
},
"Action": "cloudsearch:*"
}
]
}
This does not:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::55555555:group/SearchGroup"
},
"Action": "cloudsearch:*"
}
]
}
The only difference is user/SearchUser vs group/SearchGroup
When I try to apply the latter it just gives me an error:
Error setting policy: [{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::55555555:group/SearchGroup"},"Action":"cloudsearch:*"}]}]
Any ideas on why the policy works for a user but not a group?
Upvotes: 1
Views: 451
Answers (1)
Reputation: 2105
Groups are not supported.
Specifying a Principal
You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Principal
Upvotes: 4
Related Questions
- AWS s3 bucket policy invalid group principal
- AWS permission boundary won't apply to the secound user
- S3 bucket policy, how to ALLOW a IAM group from another account?
- IAM Policy to only allowing viewing and editing EC2 instances by group
- AWS IAM policy for security group not working
- AWS: IAM Policy to Add User To specific Group
- How to set policy for IAM user group?
- AWS security groups not working as expected
- AWS IAM customized policy at instance level for EC2 doesn't work
- AWS IAM group policy on S3 resource affecting other groups?