2 Respuestas
- Más nuevo
- Más votos
- Más comentarios
0
Thanks to kentrad's answer, I found a good solution to this.
First run the below while logged into the CLI with the SSO user you want to add
aws sts get-caller-identity --query Arn --output tex
This should generate an output like
arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER
Whatever gets generated, just put it into the policy like
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/User1", "arn:aws:iam::123456789012:user/User2", "arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER" ] }, "Action": "sts:AssumeRole" } ] }
That should be enough to get the SSO user to be able to assume that role.
respondido hace un año
0
You can add your role ARN to the trust policy of the role you want to assume. You can find your ARN using the following CLI commands.
RoleId=$(aws sts get-caller-identity --query UserId --output text | cut -f1 -d':')
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn
Once the trust policy is updated you can issues the aws sts assume-role
command to get the access key id and secret key for the new role.
You can also something like this:
RoleId=$(aws sts get-caller-identity --query Arn --output text)
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn
Contenido relevante
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
So, the
RoleId
that is getting fetched here is the role that was created in IAM for the Permission set created in Identity Center, right? In that case, won't all users in Identity Center having this permission set get added to the trust policy? Is it not possible to only add a user from Identity Center? Would it be possible to useFederated
or something?