We have a SAML-based federated user login for AWS.
In AWS, we created a role with certain policies.
Now we would like to specify only some users of the federated users to be able to switch to this role.
The following policy allows all users of the org to assume the role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<org id>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
There are docs how to give access to different types of IAM users. Unfortunately Groups are not allowed.
Is there a way to only allow a subset of federated users to assume a role? Or do I need to make this selection on the SAML side and create another SAML login role which can then be used within AWS?
I've found this post which suggests to deny users which should be priviliged. However, this would also require to select specific fedederated users to attach to the custom group - which brings me back to the initital problem.
