- Le plus récent
- Le plus de votes
- La plupart des commentaires
I will try to solve your doubts, assuming that you are using IdP like Okta.
aws sso login: is a command line that uses your credentials configured in .aws/config, you will have something like that: [profile account-name-A] sso_start_url = https://d-id.awsapps.com/start sso_region = eu-west-2 sso_account_id = account_num-A sso_role_name = roleX region = eu-west-2 output = text
[profile account-name-B] sso_start_url = https://d-id.awsapps.com/start sso_region = eu-west-2 sso_account_id = account_num-B sso_role_name = roleY region = eu-west-2 output = text
This process verifies the user's identity and generates temporary AWS credentials.
Permission-set: AWS SSO assigns one or more permission sets to the user. A permission set is a collection of permissions that define the user's access rights. There are composed of the permissions that you want that the users could do over the accounts, which could be formed by custom permissions and managed permissions (AWS scope)
That permission set could be attached to an account or accounts, depending on where you want that the user to access.
The role is not like the IAM, in sso there isn't a concept role.
Commands workflow
aws sso login
--> That opens your IDP to accept the access -->
Then you could use the command like:
aws s3 ls --profile account-name-B
--> The profile name indicates the account and the role with which it is associated.
If you want aws sts assume-role, you need to configure the permission set to assume the role.
Contenus pertinents
- demandé il y a un an
- demandé il y a 7 mois
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a un an
There is definitely a concept of role in SSO, see the profile settings you mentioned: sso_role_name. But I agree that the AWS docs are really confusing around this.
That parameter is required, and it takes a single value, so I am coming to the conclusion that a user logged in through SSO can only assume one permission set at a given time; so I have started customizing a single custom Permission Set by adding the policies I need to it.