-
Notifications
You must be signed in to change notification settings - Fork 1
IAM and SSO Users Assume Role Details
IAM is the traditional user model for AWS. Recently AWS has adopted and encouraged Single Sign-On (SSO) which simplifies access management for AWS services and resources. This document outlines the process for configuring both tradition IAM and SSO users to assume the SageWorks role,
Below is a Broad Trust Policy will allow all users of your AWS Account the ability to assume the SageWorksExecutionRole.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-ACCOUNT-ID>:root"
},
"Action": "sts:AssumeRole"
}
]
}If you'd like to limit the users, simply put a list of IAM users instead of the :root.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS-ACCOUNT-ID>:user/UserName1",
"arn:aws:iam::<AWS-ACCOUNT-ID>:user/UserName2"
]
},
"Action": "sts:AssumeRole"
}
]
}To allow AWS SSO users to assume the SageWorks role, the role must trust the AWS SSO service. This trust is established through a trust policy attached to the IAM role. The following policy will set up group specific access for SSO Users.
Note: The group will have to have a 'permission set' that allow them to assume the SageWorksExecutionRole, see below for more details.
Obviously replace and <AWS-ACCOUNT-ID> and <GROUP-NAME> with your AWS specific account and SSO group name.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-ACCOUNT-ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::<AWS-ACCOUNT-ID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_<GROUP-NAME>_*"
}
}
}
]
}Permission sets define the permissions that users and groups have when they access AWS resources through AWS SSO. For a user to assume an IAM role, their permission set must include permissions to assume that role.
The following JSON illustrates a permission set that grants a SSO Group the ability to assume the SageWorks role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/SageWorks-ExecutionRole"
}
]
}This is just general documentation about how the AWS Role Assumption Process works. There's nothing specific to SageWorks but we wanted our users to be informed about what's happening underneath the AWS 'hood'.
The process for an AWS SSO user to assume an IAM role is as follows:
- Log in via AWS SSO: The user logs into the AWS account through the AWS SSO portal.
- Assume Role with SSO: The user attempts to assume an IAM role that has been set up with a trust relationship to AWS SSO.
- Trust Policy Validation: AWS checks the IAM role's trust policy to confirm it trusts the AWS SSO service or the specific SSO role the user has assumed.
- Permission Set Validation: AWS then confirms the user has the sts:AssumeRole permission for the IAM role within their assigned permission set.
- Role Assumption: If the trust policy and permission set allow it, the user assumes the IAM role and is granted the associated permissions.
To successfully integrate AWS SSO with IAM roles, it's essential to configure both the trust policy of the IAM role and the permission sets of the AWS SSO users. Accurate configuration ensures that only authorized SSO users can assume the specified IAM roles, maintaining security while simplifying access management.