This is an English translation of a Japanese blog. Some content may not be fully translated.
AWS

Adding Multiple Conditions to StringEquals in AWS IAM Policy Condition Clause

📖 1 min read
AWSAWS

Reference IAM JSON Policy Elements: Condition - AWS Identity and Access Management

IAM Policy as OR Condition

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxx:user/xxxx-s"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": ["xxxxxxx_SFCRole=2_JVxxxxxxO3Bd/Pr0=","xxxxxxx_SFCRole=2_dxxxxxxiw="]
                }
            }
        }
    ]
}

NG Patterns

Invalid syntax

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxx:user/xxxx-s"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "xxxxxxx_SFCRole=2_JVxxxxxxO3Bd/Pr0=",
                    "sts:ExternalId": "xxxxxxx_SFCRole=2_dxxxxxxiw="
                }
            }
        }
    ]
}

Redundant and therefore NG

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::xxxxxxx:user/xxxx-s"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"sts:ExternalId": "xxxxxxx_SFCRole=2_JVxxxxxxO3Bd/Pr0="
				}
			}
		},
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::xxxxxxx:user/bkm20000-s"
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"sts:ExternalId": "xxxxxxx_SFCRole=2_dxxxxxxiw="
				}
			}
		}
	]
}
Suggest an edit on GitHub

Related articles

AWSAWS