Confusion at the time of defining a principal for a IAM user role trust policy

1
votes

I'm digging into IAM Roles for Users but I'm stuck in the "trust policy" for the role.

What I want? I want user assuming a role to allow access to S3: AmazonS3FullAccess

Context: I created a user, user1 and assigned the following policy to it:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::my-aws-account:role/user1Role"
  }
}

Then I wanted to create the role user1Role using aws iam create-role but I am stuck in the policy for --assume-role-policy-document (aka, the trust relationship policy document that grants an entity permission to assume the role)

For an EC2 trust policy I would use

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }
}

But I don't have any idea of how to do this (or what should I do) in the case of IAM users?

1
amazon-web-servicesamazon-iam

1 Answers

3
votes

You can specify an individual IAM user (or array of users) as the principal, as in the following example:

"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/user-name" }

When you use an AWS account identifier as the principal in a policy, you delegate authority to the account. Within that account, the permissions in the policy statement can be granted to all identities. This includes IAM users and roles in that account:

"Principal": { "AWS": "arn:aws:iam::AWS-Account-ID:root" }

For more details regarding the Principal element in AWS IAM Trust Policies please refer to the documentation.