- Más nuevo
- Más votos
- Más comentarios
Hi,
As described in the AWS document [1], you can apply tags to permission sets only. You can't apply tags to the corresponding roles that AWS SSO creates in AWS accounts. Hence, when you add a tag to a permission sets, it does not reflect in the corresponding roles in IAM, and also were unable to add a tag directly to corresponding roles in IAM as the roles were created and managed by the AWS SSO service.
In this context, I would like to inform you that IAM Identity Center works different than IAM, it uses “User Property” instead of tags. And you also need to enable “Attributes for access control” to set attributes to link “Property” and tags that could be recognised in IAM.
Please following steps below to solve this issue :
- For the user in IAM Identity Center, set the user property "Department" to “accounting-team” [Kindly change this according to your use case].[2] (This will be the attribute used with the sqlworkbench-team tag to share queries)
- Enable Attribute-based access control (ABAC) in IAM Identity Center [3].
- Configure a new attribute with key = sqlworkbench-team and Value = ${path:enterprise.department} [4]. In this case, I'm using the value of “property” Department set in step 1. So all users from the same Department will have access to the shared query. you could use any “property” based on your use case.
Please also check AWSReservedSSO role in IAM, it should not have any tags like sqlworkbench-team. It should have relevant policies to access Redshift and query editor v2.
Thank you.
[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html
[2] https://docs.aws.amazon.com/singlesignon/latest/userguide/edituser.html
[3] https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html#enable-abac
Contenido relevante
- OFICIAL DE AWSActualizada hace 3 años
Hello Salindira,
I've added the ABAC the same way you did and my Department Values all are the same for the users but still doesnt work. Can't attach a Screenshot but I double checked and I receive the same error in redshift. My Department value is AOC and im using the value of path:enterprise.department.
It worked when i copy and pasted the attribute and value from the aws documentation in the following link https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html