Instead of allowing individual dbuser user, how can I allow Redshift dbgroup to allow accessing other AWS resource?
Explanation:
Currently, we have a role that allows Redshift Spectrum to query data in our S3 buckets. Also, we have a dbuser say alice and alice is also a part of a dbgroup say foobar. To allow alice to query the data, Trust relationship defined in our role looks something like;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"arn:aws:redshift:us-XXXX-X:XXXXXXXXXXXX:dbuser:cluster-1a/alice"
]
}
}
}
Everything works fine as we keep adding more users to the condition shown above. For example:
"sts:ExternalId": [
"arn:aws:redshift:us-XXXX-X:XXXXXXXXXXXX:dbuser:cluster-1a/alice",
"arn:aws:redshift:us-XXXX-X:XXXXXXXXXXXX:dbuser:cluster-1a/bob"
]
Since both alice and bob are part of dbgroup called foobar, how can I allow foobar group to assume the role instead of allowing individual users.
I want something like;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"arn:aws:redshift:us-XXXX-X:XXXXXXXXXXXX:dbgroup:cluster-1a/foobar"
]
}
}
}
P.S. dbuser: Cluster database user, dbgroup: Cluster database user group
