...
Anchor | ||||
---|---|---|---|---|
|
In AWS an account owner provisions users who will have access to the AWS console. Using AWS Identity and Access Management (IAM) roles with specific levels of permissions can be assigned to users by the account owner.
...
Example attribute resolver stanzas for group naming convention in the form of "aws.123456789012.read-only"
<resolver:AttributeDefinition id="awsRoles" xsi:type="ad:Mapped" sourceAttributeID="MemberOf"> <resolver:Dependency ref="ldap"/> <resolver:AttributeEncoder name="https://aws.amazon.com/SAML/Attributes/Role" friendlyName="Role" /> <ad:ValueMap> <ad:ReturnValue>arn:aws:iam::$1:saml-provider/Shibboleth,arn:aws:iam::$1:role/$2</ad:ReturnValue> <ad:SourceValue>cn=aws.([^.]*).([^,]*),.*</ad:SourceValue> </ad:ValueMap> </resolver:AttributeDefinition> <resolver:AttributeDefinition id="awsRoleSessionName" xsi:type="ad:Simple" sourceAttributeID="mail"> <resolver:Dependency ref="ldap"/> <resolver:AttributeEncoder name="https://aws.amazon.com/SAML/Attributes/RoleSessionName" friendlyName="RoleSessionName" /> </resolver:AttributeDefinition> |
A caveat with the use of roles is that roles do not support MFA. However, the institution could enforce MFA at the IDP or SSO layer. One of the obvious advantages of using IAM roles over IAM users is that there are no credentials on the AWS side to manage. When a user is taken out of the group or they leave the institution, they lose access to the AWS environment.
...