How can I allow a Group to assume a Role?

43
votes

How can I allow all members of a Group to assume a Role in AWS IAM?

I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.

I want to achieve something like below:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::***:group/developer"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The idea is that all members of the group group/developer should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.

Is there a way to achieve this?

4
amazon-web-servicesamazon-iamidentity-management
What role do you want them to assume? Can you provide a sample ARN?Rodrigo M
The role is named developer as-well: so the ARN would be something like arn:aws:iam::***:role/developerRentrop

4 Answers

52
votes

Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "123",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/desired-role"
            ]
        }
    ]
}

Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
13
votes

You cannot specify IAM groups as principals.

You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.

Per the documentation in AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

7
votes

As of December 2018 (no idea if they were correct at the time of writing) some statements expressed above about the limitations to groups sound misleading.

I'd like to add/clarify the accepted answer:

1) trusting sts:AssumeRole to ..:root user only POTENTIALLY allows any user to assume the role in question. Unless you also grant the permission to some user or group to assume the role, it will not be allowed.

2) if you, like me, cannot have the permissions specified in the group definition because of resources living in different stacks and/or circular dependencies, the code to define a policy associated with a group is:

DevelopersAccess:
    Type: AWS::IAM::Policy
    Properties:
    Groups:
        - !ImportValue another-stack-DevelopersGroupNameNotArn
    PolicyName: DevelopersAccess
    PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Effect: Allow
            Action:
            - sts:AssumeRole
            Resource:
            - arn:aws:iam::123456789012:role/desired-role

Note that under Groups you have to list group names, not ARNs.

1
votes

This can be done in a different way. But, not sure whether this is what you want.

1) Create a policy using create-policy.
2) Attach the policy to the arn:aws:iam::***:role/developer role using attach-role-policy.
3) Create the intended Group using create-group.
4) Attach the specified managed policy to the specified Group using attach-group-policy.

Same can be achieved through AWS console or AWS SDK instead of using CLI. Please see Attaching a Policy to an IAM Group

This way, you don't have to add the roles individually to each member in the group.