Reputation: 31
How to set policy for IAM user group?
I'm new to AWS. I have an AWS CodeArtifact repository and I wanted to create a Repository Policy using an IAM user group for the repository.
My Repository Policy using IAM user looks like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::****:user/*********"
},
"Action": [
"codeartifact:DescribePackageVersion",
"codeartifact:DescribeRepository",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ListPackages",
"codeartifact:ListPackageVersions",
"codeartifact:ListPackageVersionAssets",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ReadFromRepository"
],
"Resource": "*"
}
]
}
How do I do it for a user group ?
I tried to do like what I had done with IAM user for group but there seems to be some error. It looked like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::*****:group/*********"
},
"Action": [
"codeartifact:DescribePackageVersion",
"codeartifact:DescribeRepository",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetRepositoryEndpoint",
"codeartifact:ListPackages",
"codeartifact:ListPackageVersions",
"codeartifact:ListPackageVersionAssets",
"codeartifact:ListPackageVersionDependencies",
"codeartifact:ReadFromRepository"
],
"Resource": "*"
}
]
}
Upvotes: 1
Views: 646
Answers (2)
Reputation: 35248
IAM groups are not a principal, so unfortunately you cannot use these as a reference within your policy.
You are limited to either an IAM user or IAM role.
AWS principals must be the calling resource (the resource that attempts to access this service via the API), IAM group constructs are an organisational unit that are applied to users to improve the management of policies.
The only suggestion (as per any other resource policy) would be to create a role for this group that can be assumed by any user in the group. You would then update the principal to be this role, rather than list all the groups. If this does not work for your solution then you'll need to list all the IAM users.
If you create a role you can assume it either via the console, via the command line or even via the SDK
Upvotes: 1
Reputation: 238747
Unfortunately, you can't do this:
"Principal": {
"AWS": "arn:aws:iam::*****:group/*********"
},
The IAM groups can't be used as principles. Usually when you have AWS type principle, you are limited to IAM role or IAM user.
In general though (docs):
You can specify any of the following principals in a policy:
AWS account and root user
IAM users
Federated users (using web identity or SAML federation)
IAM roles
Assumed-role sessions
AWS services
Anonymous users (not recommended)
Therefore, the permissions for your AWS CodeArtifact repository could be associated with an IAM role. Your group members would have permission of sts:AssumeRole for the role. This way they could assume the role, and the role could be used as a principle in your policy.
Upvotes: 1
Related Questions
- How to assign IAM role to users or groups
- Export an inline user group policy in AWS
- AWS: IAM Policy to Add User To specific Group
- Restrict assumption of AWS IAM Role to a specific Group
- IAM: How to structure Policies and Groups
- Trying to give IAM user rights to create and assign roles, but limit the type of policies available
- IAM- Switch role for AWS access and policies limit
- How to add IAM policy for all existed users and new users in AWS IAM?
- Amazon IAM policy: restrict user to create group/role only if one of the attached policy is BaseDeny
- IAM Policy for subgroups in AWS