Using predefined attributes from the IAM Identity Center directory for access control in AWS

Each user in the IAM Identity Center directory is assigned a unique UserId. You can view the UserId for your users by using the IAM Identity Center console and navigating to each user or by using the DescribeUser API action. IAM Identity Center allows you to use this UserId in permissions sets or resource-based policies for making access control decisions in AWS. For example, the following permissions policy allows a user with <UserId> to call get operations against all of their Amazon S3 resources. This permission allows the user to read the object data from mybucket.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":"*",
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion"
         ],
         "Resource":[
            "arn:aws:s3:::mybucket/*"
         ],
         "Condition":{
            "StringEquals":{
               "identitystore:UserId":[
                  "<UserId>"
               ]
            }
         }
      }
   ]
}

If you want to confirm that the caller is an IAM Identity Center user, you can specify a Null clause as a condition, as follows:


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Condition":{
            "Null":{
               "identitystore:UserId":"false"
            }
         }
      }
   ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported user and group attributes

Connect to a Microsoft AD directory