我如何允许一个小组担任角色? [英] How can I allow a Group to assume a Role?

问题描述

如何允许组中的所有成员在AWS IAM中扮演角色?

How can I allow all members of a Group to assume a Role in AWS IAM?

我尝试使用以下语句，但已在 AWS IAM中指定主体元素，组不能是主体.

I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.

我想要实现以下目标:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::***:group/developer"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

这个想法是，组group/developer的所有成员都应该能够担任这个角色.目的是使我免于必须单独指定组中的每个成员.

The idea is that all members of the group group/developer should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.

有没有办法做到这一点?

Is there a way to achieve this?

推荐答案

向组添加策略，该策略授予在所需角色上调用sts:AssumeRole的权限:

Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/desired-role"
            ]
        }
    ]
}

此外，在角色上附加信任策略.样本策略(如下)将信任帐户中的任何用户，但他们还需要(上图)sts:AssumeRole权限才能承担角色.

Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

这篇关于我如何允许一个小组担任角色?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！