AWS:将用户添加到特定组的 IAM 策略

时间:2021-02-11 05:31:32

标签: amazon-web-services amazon-iam amazon-policy

我正在尝试为组(“TheGroup”)设置策略,当附加到用户时,该策略将允许该用户创建新用户并将他们分配给另一个特定组(“TheSubGroup”)。

我相信我已经大部分完成了 CreateUser 部分,但我不确定如何在下面的策略的第二部分中还允许此用户 AddUserToGroup("TheSubGroup") 的语法。

有什么想法吗?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ManageUsersPermissions",
      "Effect": "Allow",
      "Action": [
        "iam:ChangePasword",
        "iam:CreateAccessKey",
        "iam:CreateLoginProfile",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteLoginProfile",
        "iam:DeleteUser",
        "iam:UpdateAccessKey",
        "iam:ListAttachedUserPolicies",
        "iam:ListPolicies",
        "iam:ListUserPolicies",
        "iam:ListGroups",
        "iam:ListGroupsForUser",
        "iam:GetPolicy",
        "iam:GetAccountSummary"
      ],
      "Resource": "*"
    },
    {
      "Sid": "LimitedGroupAssignment",
      "Effect": "Allow",
      "Action": [
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup"
      ],
      "Resource": "*",
      "Condition": {
        "ArnEquals": {
          "iam:PolicyArn": [
            "arn:aws:iam::1234567890:group/TheSubGroup"
          ]
        }
      }
    }
  ]
}

1 个答案:

答案 0 :(得分:1)

AddUserToGroup action applies to group resources。尝试定位群组资源:

{
  "Sid": "LimitedGroupAssignment",
  "Effect": "Allow",
  "Action": [
    "iam:AddUserToGroup",
    "iam:RemoveUserFromGroup"
  ],
  "Resource": "arn:aws:iam::1234567890:group/TheSubGroup"
}
相关问题
最新问题