AWS creds access limitation


AWS dynamic secrets works great however, I don’t understand how to write an ACL that limits access to certain roles.
I have 2 AWS roles: s3-role and ec2-role. I would like group A to only be able to generate an AccessKey/Secret with the s3-role only and not be allowed to generate ec2-role creds.
Is this possible? Or do I need to create another AWS Secret?


Since the role name is part of the path, it’s pretty simple?

policy 1:

path "aws/creds/s3-role" {
  capabilities = ["read"]

policy 2:

path "aws/creds/ec2-role" {
  capabilities = ["read"]

Yes… I just find it by myself…
I was expecting something like aws/my/path/ and not working with the role path…

Thank yo!