How can I allow a Group to assume a Role?

Question

How can I allow all members of a Group to assume a Role in AWS IAM?

I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.

I want to achieve something like below:

{   "Version": "2012-10-17",   "Statement": [     {       "Sid": "",       "Effect": "Allow",       "Principal": {         "AWS": "arn:aws:iam::***:group/developer"       },       "Action": "sts:AssumeRole"     }   ] } 

The idea is that all members of the group group/developer should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.

Is there a way to achieve this?

Answer 1

Attach a policy to the Group that grants permission to call sts:AssumeRole on the desired Role:

{     "Version": "2012-10-17",     "Statement": [         {             "Sid": "123",             "Effect": "Allow",             "Action": [                 "sts:AssumeRole"             ],             "Resource": [                 "arn:aws:iam::123456789012:role/desired-role"             ]         }     ] } 

Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole permissions (above) to assume the role.

{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Principal": {         "AWS": "arn:aws:iam::123456789012:root"       },       "Action": "sts:AssumeRole"     }   ] } 

Answer 2

You cannot specify IAM groups as principals.

You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups as principals.

Per the documentation in AWS https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html