1

It is possible to set multiple value in a aws:PrincipalTag for IAM policy ?

Currently, I have federated users with a project attribute ​​in their JWT and depending on this value ​​I can give access to a specific "folders" in my s3 bucket.

For a JWT with following value:

"https://aws.amazon.com/tags": {
    "principal_tags": {
        "project": [
            "foo"
        ]
    }
}

and my AWS policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TagBasedAccess",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::myawesomebucket",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "${aws:PrincipalTag/project}/*"
                }
            }
        }
    ]
}

It grant user access to arn:aws:s3:::myawesomebucket/foo/ with success.

Now I will make it work for multiple values ​​in the project attribute (give access to multiple s3 "folder"). But I have no idea how to perform this.

EDIT:

in AWS documentation (AWS doc):

you can include multiple values in a single tag with a custom separator. In this example, you could attach the team = Engineering:QA tag to Zhang. To control access to engineers in this example using the team tag, you must create a policy that allows for every configuration that might include Engineering, including Engineering:QA

but they dont say how to perform this...

rootmout
  • 23
  • 5

1 Answers1

0

There is an AWS document relating to this question: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions

Direct quote from the document:

To compare your condition against a request context with multiple key values, you must use the ForAllValues or ForAnyValue set operators. These qualifiers add set-operation functionality to the condition operator so that you can test multiple request values against multiple condition values. Additionally, if you include a multivalued key in your policy with a wildcard or a variable, you must also use the StringLike condition operator.

Please refer the original documents for more information. You might want to know, for example, how condition operators and condition blocks work in this context.

Marko Eskola
  • 717
  • 4
  • 11
  • 1
    Please [edit] your answer and write a brief summary of the content of the link you provide. Remember that such content may no longer be available at later. Read [answer]. – padaleiana Jul 10 '21 at 00:09
  • The question stated that it isn't a multiple key values, but multiple values in a single tag. Since the docs mentioned that `Do not use set operators with single-valued condition keys.`, I doubt this will works. Can you provide a working example if you have any? – Sam Kah Chiin May 13 '22 at 13:16