How do I parse multiple group claims from an OIDC Token/Provider into an IAM Policy?

0

Suppose you want to use the "groups" claim from your OIDC provider to dictate resource access for your IAM role.

i.e. if you're in group A, you can touch resource A. A user could be in groups A, B, and C all at the same time.

All of the IAM examples so far seem to assume that a user has a single group or department attribute that dictates access (i.e. bob's department=accounting), instead of multiple (i.e. bob's departments=[accounting]). Usually this is never the case in reality and doesn't seem applicable to hardly any use cases.

Furthermore it seems that mapping the "groups" claim in an OIDC provider with Cognito Identity pools transcribes the array to a singular string (i.e. the array [groupA, groupB, groupC] is parsed to the literal string "["groupA", "groupB", "groupC"]", which is near impossible to use in IAM roles when checking access levels due to a lack of advanced string parsing.

Any ideas? Is this just not a thing in IAM? Can you just simply not use the groups claim from an OIDC provider?

1回答
0

Assuming you are using cognito for authN and implementing groups to assign roles , you have the option of using priority with in your roles. If that does not suffice you can implement RBAC as defined https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html .

profile pictureAWS
回答済み 2年前
  • RBAC still caps out at 25 rules -> 25 roles per OIDC provider, right? So if you had more than 25 possible groups this wouldn't be a practical solution either.

    It also forces you to "pick" a single role to sign in as at a time, instead of utilizing the credentials of multiple, which isn't ideal.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ