Cannot apply AWS policy to group, only to user

1
votes

I am trying to set up permissions on a CloudSearch domain.

This policy works:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::55555555:user/SearchUser"
      },
      "Action": "cloudsearch:*"
    }
  ]
}

This does not:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::55555555:group/SearchGroup"
      },
      "Action": "cloudsearch:*"
    }
  ]
}

The only difference is user/SearchUser vs group/SearchGroup

When I try to apply the latter it just gives me an error:

Error setting policy: [{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::55555555:group/SearchGroup"},"Action":"cloudsearch:*"}]}]

Any ideas on why the policy works for a user but not a group?

1
amazon-web-servicesamazon-iamamazon-cloudsearch

1 Answers

4
votes

Groups are not supported.

Specifying a Principal

You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Principal