Reputation: 23
AWS SSO + Identity Policy creation
We have SSO (Azure AD) authentication enabled and configured in the organization root account. I am working on a Terraform module in one of the sub-accounts, and the module needs to grant permissions (in this case - ssm:StartSession) on the EC2 instances it creates to a set of SSO users. However, I cannot attach a new policy to the SSO roles of the users, since the roles are created by AWS SSO and cannot be modified directly.
How can I add an identity policy to a specific user/group? I do have access to the root org account, if needed, but I would like a fully automated way of doing so (with Terraform, of course)
Upvotes: 0
Views: 994
Answers (1)
Reputation: 818
However, I cannot attach a new policy to the SSO roles of the users, since the roles are created by AWS SSO and cannot be modified directly.
Terraform aws provider has resources to attach a managed policy or an inline policy (needed in your use case) to permissions sets:
- Resource: aws_ssoadmin_managed_policy_attachment
- Resource: aws_ssoadmin_permission_set_inline_policy
Permission sets and and inline policies must be created under SSO management account. Create a new permission set and inline policy and assign groups with new permissions by using aws_ssoadmin_account_assignment
You can create multi-account setup for Terraform if you want to deploy resources on multiple accounts. One way to achieve this is described here.
Upvotes: 1
Related Questions
- How to Use Service Managed identity to provision resource in Azure using Terraform
- How to configure aws sso for terraform?
- Terraform AWS SES credential resource
- Setting IAM Policy within Terraform
- Is it possible to create an SSO user using terraform - AWS
- How to create AWS IAM service account with access and secret keys using terraform
- How to use managed policy with iam role
- how to create an iam role with policy that grants access to the SQS created
- AWS Identity federation and AWS Organizations
- terraform aws iam role with policy assignment