- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hello,
Thank you for contacting us! I understand that you would like to deny access to a specific IdP provider while creating an IAM role.
I would like to share with you that unfortunately, it is not possible to restrict the control on specific Identity Provider when creating a role.
When you start creating a role (via Console), it starts with making a selection on the trusted entity and provides you with the following 5 Trusted entity types:
- AWS service
- AWS account
- Web identity
- SAML 2.0 federation
- Custom trust policy
Due to process-flow requirements (of "iam:CreateRole"), it is not possible to restrict the selection of a particular available resources in the drop-down for any of these above 5 Trusted entity types. Hence, your use-case cannot be met. I highly regret for the inconvenience this may have caused to you.
Next, you may please refer the document [1] which defines all the supported Condition Keys on the reource/s for the respective API ("iam:CreateRole" here). If you note, "iam:CreateRole" doesn't have any condition key which can enforce restrictions on the Identity Provider.
Reference:
[1] Actions, resources, and condition keys for Identity And Access Management: https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html
If the suggestions above was not adequate to address your concern, I request you to please create a support case instead, with us, so that we can discuss it further.
Please do not post any sensitive information over re:Post since this is a public platform. Please don't hesitate to reach back with any further questions or concerns and we will be glad to assist you accordingly.
Thank you.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 3 Monaten
- AWS OFFICIALAktualisiert vor 2 Jahren