We have 10+ accounts clustered under a single root account, all in one organization. Our ops personnel gets a user in the root account and can access any "sub" account in the organization if said user has the required permissions (assumeRole).
I struggle with giving our users the correct permissions (attaching a policy) because IAM is limited everywhere to 10 items:
We have more than 10 sub-accounts. I first tried to attach for each account directly to users, or to groups that give access to users, but I always hit the following limits:
- Groups an IAM user can be a member of: 10
- Managed policies attached to an IAM group: 10
- Managed policies attached to an IAM user: 10 (undocumented)
In order to give users access to an arbitrary number of accounts I need to create up an individual policy for each user it seems. Is that the only way?
Edit: Rephrasing use-case:
I have more than 10 sub-accounts in an organization. I have a bunch of users in an "authorization" AWS account. Users access the sub-accounts via assumeRole as admin. I need a way to give admin access to each user to a subset of accounts. The list of accounts a user can access as admin might change from user to user.
I tried to create a group for each account that has the right policy attached. This allows me to give users admin access by simply adding users with access to the appropriate group. Because I have more than 10 accounts, I need users to be able to belong to more than 10 groups, which isn't possible with AWS.
