{"id":1772,"date":"2025-08-14T13:27:46","date_gmt":"2025-08-14T13:27:46","guid":{"rendered":"https:\/\/192.168.1.3\/wordpress\/?p=1772"},"modified":"2026-04-21T14:00:01","modified_gmt":"2026-04-21T06:00:01","slug":"attribute-based-access-control-abac-examples","status":"publish","type":"post","link":"https:\/\/mylinuxsite.com\/wordpress\/?p=1772","title":{"rendered":"Attribute-based Access Control (ABAC) Examples"},"content":{"rendered":"\n

Example 1 – ABAC Using Tags<\/strong><\/h4>\n\n\n\n
Summary<\/strong><\/h5>\n\n\n\n

In this example, we will demonstrate ABAC using tags.<\/p>\n\n\n\n

We will have two(2) roles: ABACRole1<\/strong> and ABACRole2<\/strong>. ABACRole1 will assume ABACRole2, which has access to objects in an S3 bucket. ABACRole1 will be allowed to assume ABACRole2 if both have the same value in a particular tag, and ABACRole2 will be allowed to access objects in the S3 bucket if the object has the same value of a specific tag.<\/p>\n\n\n\n

Demonstration<\/strong><\/h5>\n\n\n\n
    \n
  1. Deploy the application stack.<\/li>\n<\/ol>\n\n\n\n

    Clone this CDK folder<\/a> and deploy the stack. <\/p>\n\n\n\n

    cdk deploy <\/code><\/pre>\n\n\n\n
    The stack will create three (3) resources, namely: (1) IAM role called ABACRole1, (2) IAM role ABACRole2 and (3) an S3 bucket with a name auto-generated by CloudFormation. The stack will also copy a file called “hello_world.txt<\/em>” into the S3 bucket.<\/p>\n\n\n\n
    \"\"<\/a><\/figure>\n\n\n\n
    The IAM role ABACRole2 will have the following condition in its trust<\/em> relationship:<\/p>\n\n\n\n
    \"Condition\": {\n     \"ForAnyValue:StringEquals\": {\n        \"aws:ResourceTag\/team\": \"${aws:PrincipalTag\/team}\"\n     }\n}<\/code><\/pre>\n\n\n\n
    In its S3<\/em> permission policy, it will have the following condition:<\/p>\n\n\n\n
    \"Condition\": {\n      \"ForAnyValue:StringEquals\": {\n         \"s3:ExistingObjectTag\/team\": \"${aws:PrincipalTag\/team}\"\n       }\n }<\/code><\/pre>\n\n\n\n
      \n
    1. Assume and switch to ABACRole1.<\/li>\n<\/ol>\n\n\n\n
      ROLE_1_TOKENS=$(aws sts assume-role --role-arn arn:aws:iam::<account id>:role\/ABACRole1 --role-session-name ABAC-Role-1 --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text)\nexport AWS_ACCESS_KEY_ID=$(echo $ROLE_1_TOKENS | cut -d' ' -f1)\nexport AWS_SECRET_ACCESS_KEY=$(echo $ROLE_1_TOKENS | cut -d' ' -f2)\nexport AWS_SESSION_TOKEN=$(echo $ROLE_1_TOKENS | cut -d' ' -f3)\naws sts get-caller-identity <\/code><\/pre>\n\n\n\n
      Note: The role that you used to deploy the CDK above will be a trusted principal in ABACRole1. This should allow you to assume this role from the role that created the stack<\/em>.<\/p>\n\n\n\n
        \n
      1. Assume ABACRole2.<\/li>\n<\/ol>\n\n\n\n
        aws sts assume-role --role-arn arn:aws:iam::<account id>:role\/ABACRole1 --role-session-name ABAC-Role-1 <\/code><\/pre>\n\n\n\n
        This should fail because neither role has any tag.<\/p>\n\n\n\n
          \n
        1. Re-run the stack using the step_1<\/em> context.<\/li>\n<\/ol>\n\n\n\n
          cdk deploy --context step_no=step_1<\/code><\/pre>\n\n\n\n
          Under this context, the deployment will add the tag ‘team:abac<\/em>‘ to both ABACRole1 and ABACRole2<\/p>\n\n\n\n
            \n
          1. Now repeat 2<\/a> & 3<\/a>.1<\/a><\/sup><\/li>\n<\/ol>\n\n\n\n
            This should be successful. <\/p>\n\n\n\n
              \n
            1. Switch to ABACRole2 and copy the file “hello_world.txt” from the S3 bucket.<\/li>\n<\/ol>\n\n\n\n
              ROLE_2_TOKENS=$(aws sts assume-role --role-arn arn:aws:iam::<account id>:role\/ABACRole2 --role-session-name ABAC-Role-2 --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text)\nexport AWS_ACCESS_KEY_ID=$(echo $ROLE_2_TOKENS | cut -d' ' -f1)\nexport AWS_SECRET_ACCESS_KEY=$(echo $ROLE_2_TOKENS | cut -d' ' -f2)\nexport AWS_SESSION_TOKEN=$(echo $ROLE_2_TOKENS | cut -d' ' -f3)\naws sts get-caller-identity\naws s3 cp s3:\/\/abacsample1stack-bucketxxxxx-yyyyyyyy\/hello_world.txt \/tmp<\/code><\/pre>\n\n\n\n
              This should fail because the S3 object has no tag.<\/p>\n\n\n\n
                \n
              1. Re-run the stack using the step_2<\/em> context.<\/li>\n<\/ol>\n\n\n\n
                cdk deploy --context step_no=step_2<\/code><\/pre>\n\n\n\n
                Under this context, the deployment will add the tag ‘team:abac<\/em>‘ to the S3 object “hello_world.txt”<\/p>\n\n\n\n
                  \n
                1. Retry  6<\/a>.1<\/a><\/sup><\/li>\n<\/ol>\n\n\n\n
                  This should be successful since both the role and the object have the same value in their ‘team’ tag.<\/p>\n\n\n\n
                  Footnotes<\/strong><\/h4>\n\n\n\n
                    \n
                  1. Whenever you need to re-run the CDK, you must switch back to the role that has the privilege to deploy the infrastructure. So when you repeat steps, you need to assume ABACRole1 and ABCRole2 again. Alternatively, you can have another terminal dedicated solely to deploying the CDK.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
                    Example 1 – ABAC Using Tags Summary In this example, we will demonstrate ABAC using tags. We will have two(2) roles: ABACRole1 and ABACRole2. ABACRole1 will assume ABACRole2, which has access to objects in an S3 bucket. ABACRole1 will be allowed to assume ABACRole2 if both have the same value in a particular tag, and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[12],"tags":[],"class_list":["post-1772","post","type-post","status-publish","format-standard","hentry","category-articles"],"_links":{"self":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1772","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1772"}],"version-history":[{"count":18,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1772\/revisions"}],"predecessor-version":[{"id":1979,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1772\/revisions\/1979"}],"wp:attachment":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}