Reputation: 498
Assuming roles when logged in via IAM Identity Center
I have an AWS multi account setup where I use IAM Identity Center to manage users and control access. I'm using a managed AWS role to grant view-only access. When I'm logged into one of these accounts (lets call it prod), I'd like to be able to use STS to assume a role in a different account (lets call that one shared).
To do this I need to setup an IAM role in shared that grant appropriate access and has a trust policy that allow me to do so. Initially I've started out with this (which works):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<prodAccountID>:root"
},
"Action": "sts:AssumeRole",
}
]
}
How to I change that principal from anything coming from prod to only those logged in via the SSO and with a specific role?
As an example:
$ aws sts get-caller-identity
{
"UserId": "<some-id>:<username>",
"Account": "<prodAccountID>",
"Arn": "arn:aws:sts::<prodAccountID>:assumed-role/AWSReservedSSO_view-only_9ec0318096f8cdd9/<username>"
}
I'd like anyone with the AWSReservedSSO_view-only_9ec0318096f8cdd9 role to be able to assume the role.
Upvotes: 7
Views: 7325
Answers (3)
Reputation: 1434
I have similar issue, I am added to aws root account through aws identity center with AdministratorAccess rights.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I have above role and I am logged as federated user so I see sth like that in aws AWSReservedSSO_AdministratorAccess_<some_number>/<user_name>, what I should add to Trust Policy to be able to Assume above role ?
Upvotes: 0
Reputation: 21
AWS has a little bit hidden their explanation of how things work with IAM Identity Center.
AWS LINK
AWS creates a Role for each Permission Set Assignment you do. When a user uses the Identity Center the User assumes the newly created Role with the attached permissions defined in the Permission Set.
If you want to give the rights to assume from this role to another you need to write a specific Trust Policy into the target role.
AWS has described how the name is generated so you can build it yourself when needed. From the Documentation:
| Name | ARN |
|---|---|
| AWSReservedSSO_permission-set-name_unique-suffix | arn:aws:iam::aws-account-ID:role/aws-reserved/sso.amazonaws.com/aws-region/AWSReservedSSO_permission-set-name_unique-suffix |
For example, if you create a permission set that grants AWS account access to database administrators, a corresponding role is created with the following name and ARN:
| Name | ARN |
|---|---|
| AWSReservedSSO_DatabaseAdministrator_1234567890abcdef | arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_DatabaseAdministrator_1234567890abcdef |
If you delete all assignments to this permission set in the AWS account, the corresponding role that IAM Identity Center created is also deleted. If you make a new assignment to the same permission set later, IAM Identity Center creates a new role for the permission set. The name and ARN of the new role include a different, unique suffix. In this example, the unique suffix is abcdef0123456789.
Because of that the Trust Policy should look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_AdministratorAccess_*"
}
}
}
]
}
You first allow the whole Account "111122223333" to assume the role and then filter for the ARN so that only the IAM Identity Center Role can assume the target role. You can't enter the role directly into to the Principal section, as there are no Wildcards allowed and the target Prinicpal must be present.
Upvotes: 2
Reputation: 498
By a lot of trial and error, it turns out that the aws:PrincialARN is the ARN of the assumed role. Whether this is bullet proof is unclear to me.
But it does allow for a trust policy like this to do what I'm looking for:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<prodAccountID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalARN": "arn:aws:iam::<prodAccountID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_view-only_*"
}
}
}
]
}
EDIT: Upon further experimentation also discovered that it is possible to do:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<prodAccountID>:role/aws-reserved/sso.amazonaws.com/<SSO-region>/AWSReservedSSO_view-only_9ec0318096f8cdd9"
},
"Action": "sts:AssumeRole",
}
]
}
This comes with the limitation of the SSO managed role has to exist beforehand and you need to know the full name - not just that it's called view-only.
Upvotes: 8
Related Questions
- AWS IAM roles and STS
- How to query Assumed Role
- IAM Role limit sts:AssumeRole to one AWS Lambda function
- Assume one role from another in the AWS management console
- AWS: STS Assume Role not working for user
- Assume AWS Role From User in Same Account
- AWS: Assinging IAM roles to IAM users
- AWS STS Roles with EC2 AssumeRole
- AWS STS AssumeRole: Are IAM user credentials needed, or not?
- assume IAM roles using user name and password