Anybody could explain why the operation assume-role-with-saml needs some parameters that are already in the saml-assertion such as role-arn and principal-arn?
After some research I'm able to answer. I was asking why send the --role-arn parameter if it is already in the saml assertion. In fact the saml assertion can have more than one role so in the api request is necessary to identify which role should be assumed. I found the answer in this link
The Amazon documentation for assume-role-with-saml provides the information:
The --role-arnstring option identifies the role that the caller is assuming.
The --principal-arnstring option requires closer reading. Amazon says
The Amazon Resource Name (ARN) of the SAML provider in AWS IAM that describes the IdP.
The explanation for the latter is given a few paragraphs before:
Before your application can call assume-role-with-saml , you must configure your SAML identity provider (IdP) to issue the claims required by AWS.
The same page provides a link to Using Identity Providers, which explains the term:
Using identity providers, you can manage user identities outside of AWS, and you can give these external user identities permissions to use AWS resources in your account.
That is, you could associate an external user identity with a role using the --principal-arn option. The --role-arn option is not really optional, but a required parameter.
The saml-assertion (--saml-assertionstring) option) is additional "glue" which may be used to check permissions. Following the link in the description for this option to Configuring a Relying Party and Adding Claims, Amazon says
You also need to create appropriate claim rules in your IdP with AWS as a relying party. These rules map information about users and groups in your organization into appropriate SAML attributes. This lets you make sure that SAML authentication responses (assertions) from your IdP contain the necessary attributes that AWS uses in IAM policies to check permissions for federated users.
and in turn, that links to a page describing the assertions: Configure Assertions for the SAML Authentication Response
Related
In IAM Trust Policy we can use the MultiFactorAuthPresent condition to enforce MFA to be enabled. However, does that condition work with an external Identity Provider? e.g. If I'm authenticated using Azure AD or Google Workspace, the authentication is done at the external Identity provider, does the MFA info gets passed to IAM?
How about AWS SSO with an external provider? Is it the same?
When authentication is done by External IdP (i.e. Azure AD), MFA is performed as part of the authentication flow before SAMLResponse is returned to AWS Signin page. For Azure AD IdP, you can use Conditional Access policy to enforce MFA for the application.
I haven't tested but I would think you can pass an additional attribute (outside of the role trust arn, role arn attribute. Then you can read the value at the IAM trust policy level. You can get more info at Passing session tags in AWS STS.
I've encountered following error message when I'm trying to integrate AWS Cognito and AWS ElasticSearch with AD. I've setup AD and cognito integration but after login with AD-User in AD Console, I've encountered following message. But when I've created user in AWS Cognito and login with its authentication, it was working. Please let me what I've missed to configure it. Thanks.
• Check whether the user pool id and app client id from user pool configurations are correctly configured in federated identities page. Also, check whether correct template is selected for authentication to Active Directory purposes, i.e., ‘Allow access for one or more AWS accounts or IAM users’ is selected.
• Please ensure that the Amazon Elasticsearch domain has sufficient access to the authorized AD users and groups through the access control policy. Also, check the IAM roles with the exact same name as AD groups are authorized or permitted for authentication with Active Directory or not.
• If using ADFS for federated identities with Microsoft Active Directory, check the replying party SAML 2.0 SSO service URL in ADFS configuration. Also, check the claim rules in ADFS and the issuance policy in ADFS. On the AWS side in elastic search console, check the roles key configuration under optional SAML settings.
Please find the below links for more information: -
https://aws.amazon.com/blogs/security/configure-saml-single-sign-on-for-kibana-with-ad-fs-on-amazon-elasticsearch-service/
Sorry! Something went wrong during authentication between Kibana and Amazon Cognito
Is there a way to grant admin access to a third party in AWS without manually creating IAM role etc, purely via OAuth flow or similar?
Context: making an app that simplifies AWS account management, and want to make the UX to "connect to my account" as simple as possible. Failed to find anything like that in AWS docs. Want the app to be able to provision and manage resources, run terraform etc.
Check this out: Identity Providers and Federation. You will still have to create pre-defined IAM roles to define what permission users will assume
Yes it's doable. You do need to create IAM roles, if you want to give your users access to everything just create an admin role with permissions of ':' on all resources.
Then you should set up some type of SAML server, active directory federation services comes with everything out of the box. You can look for some open source SAML servers.
Then you have to setup SAML federation between your user account and your SAML backend.
How to setup multi-account(project) in GCP, it is possible in AWS by using assume-role, anyone knows how to do it in Google Cloud (GCP)?
I tried to explore AWS equivalent in GCP, but not able to find any document.
As documented, AssumeRole in AWS returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
In AWS you can create one set of long-term credentials in one account. Then you can use temporary security credentials to access all the other accounts by assuming roles in those accounts.
The equivalent of the above in GCP would be creating short-lived credentials for service accounts to impersonate their identities (Documentation link).
Accordingly, in GCP you have the “caller” and the “limited-privilege service account” for whom the credential is created.
To implement this scenario, first, use handy documentation on Service Accounts and Cloud IAM Permission Roles in GCP, as each account is a Service Account with specific role permissions, in order to understand how accounts work in GCP.
The link I posted above, provides detailed information on the flows that allow a caller to create short-lived credentials for a service account and the supported credential types.
Additionally, this link can assist you in visualizing and understanding the resource hierarchy architecture in GCP and give you examples on how to structure your project according to your organization’s structure.
The basic answer is "Service Roles". Limited-time service roles are available.
For assigning permissions across projects (but still in the same organization), you can create a custom role.
For letting any user assume the role of a service account, use the Service Account user role.
For limited-time authorization tokens, you have OAuth 2.0 for server-to-server calls, particularly with JWT where available.
I am setting up an AWS Account, the account will be used by an organization of employees for EC2 use/experimentation. Obviously, I do not want to distribute the root login info or set up one single IAM user for everyone to use. Unfortunately, I do not have the time to manage creating individual IAM users for everyone on a regular basis.
So, is there a way to auto-create IAM users based on a given email's domain on their first login attempt? The users should have read-only roles to begin, then an Administrator could give more roles as needed to each user. I am open to suggestions, perhaps lambda functions or linking to an identity provider?
Keep in mind that these new IAM users need to have access to the AWS Management Console, this is not necessarily intended for login to applications hosted on AWS.
Update:
Moving forward using this AWS Management Console Federation Proxy Sample found in Amazon's code reference, using with Microsoft Exchange hosted email.
If your existing identity provider supports SAML2 Federation, you can set it up to login to the AWS Management Console.
For more details refer Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
Else you can implement a custom Federation Broker to return an URL to the user, after they authenticate with their corporate credentials.
For more details refer Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).