I want to create an IAM Policy of my Secret Manager in AWS, to limit access to an Admin group. But in IAM Policy, I can't create a condition for an IAM group to have single access. I can limit to specific users, to a role, but not a group.
I found that you can limit to a role, and then the Admin can create a temporary link that the user can temporarily attach the role permission by one hour. Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html. But I don't think this is the best process for me.
CodePudding user response:
So the answer is that you are putting your IAM policy in the wrong place.
With IAM Groups you assign Identity policies to the group, which then filter to all the users within said group.
With Resources (such as Secret Manager) you assign Resource Policies which can limit access to that resource (or grant specific allowances beyond other policies to specific other resources)
In effect, you want to create a Policy that gives Secret Manager permissions, then attach that policy to your group, rather than create a policy on Secret Manager that will give access to admins.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html