CODEWITHSUNDEEP
amazon-web-servicesamazon-iam
Karim Tabet
Karim Tabet

Reputation: 1847

AWS IAM Policy to allow user to create IAM User with specific Policy/Roles

I want to create a policy that allows for the creation of IAM users that have limited permissions or the same permissions as the user that created them.

Basically; I want to allow a user to create another user, but to also specify exactly what policies one user is allowed to give to another user.

For example;

I create a new user: User A

User A only has permissions to create new users with (equally) limited permissions.

User A create a new user: User B

User B only has the same permissions as User A (or fewer/different permissions).

I thought maybe it was something in the resource section? Eg

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowUsersToPerformUserActions",
      "Effect": "Allow",
      "Action": [
        "iam:CreateUser",
      ],
      "Resource": "<Some Specific Policy>"
    },
  ]
}

Upvotes: 2

Views: 2967

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 269161

Rather than creating a new user, you can use the GetSessionToken command from the AWS Security Token Service.

This command allows any user to create temporary credentials with the same permissions that they have, or with permissions scoped-down from their own permissions. (It will never have more permissions that the requesting user.)

The temporary credentials can be valid for 15 minutes to 1 hour.

These types of credentials are typically used to activate a multi-factor authentication session or to create temporary credentials for an untrusted application.

Upvotes: 3

Related Questions