Manish Pal
Reputation: 361
How to apply OR conditions between two conditions in IAM policy?
Below is my IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/custom:kypha": "${aws:PrincipalTag/custom:kypha}",
"s3:ExistingObjectTag/custom:pharma": "${aws:PrincipalTag/custom:pharma}"
}
}
}
]
}
By default, AWS applies AND between two conditions ("s3:ExistingObjectTag/...."). But I required OR between them in such a way that if any of the conditions meet, then it will allow the specific action. How could I achieve this? any suggestion.
Upvotes: 2
Views: 2222
Answers (1)
Marcin
Reputation: 238467
You need two separate statements as your keys s3:ExistingObjectTag/custom:kypha and s3:ExistingObjectTag/custom:pharma are different:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/custom:kypha": "${aws:PrincipalTag/custom:kypha}"}"
}
}
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject*",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/custom:pharma": "${aws:PrincipalTag/custom:pharma}"
}
}
}
]
}
Upvotes: 3
Related Questions
- How to provide multiple StringNotEquals conditions in AWS policy?
- AWS IAM multiple policies with conflicting conditions
- How to create an IAM policy with multiple statements using CDK?
- how to combine two IAM policies together
- IAM user policy that can only triggered by a AWS service (Condition)
- how to define one condition that validate at least one key in iam aws policy
- AWS IAM Conditional Policies
- AWS IAM Policy Grammar Error with Multiple Conditions
- AWS IAM: how to create a condition using global condition keys
- How do I do an OR condition in an S3 bucket policy?