Trying to create a resource-based policy and specifying a group as principal but it is failing,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<acc_number>:group/dev-group"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket>/text.txt"
}
]
}
It fails with error:
CodePudding user response:
This is not possible, per AWS documentation.
You can specify any of the following principals in a policy:
- AWS account and root user
- IAM users
- Federated users (using web identity or SAML federation)
- IAM roles
- Assumed-role sessions
- AWS services
- Anonymous users (not recommended)