AWS Identity Center Assumed Role Principals

Question

I am attempting to author an IAM Role Trust Policy that only permits sts:AssumeRole permissions for a role managed by the AWS IAM Identity Center. I have read through [this document describing the Principal ARN that should be used in the Trust Policy](https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html), but am pretty confident that the documented PrincipalArn is incorrect. The documented format of the ARN is:

```
arn:aws:iam::$ACCOUNT_ID:role/aws-reserved/sso.amazonaws.com/$IDENTITY_CENTER_REGION/AWSReservedSSO_$PERMISSION_SET_NAME_*
```
However, when I use that exact format and attempt to assume the role I get `AccessDenied` errors. I **AM** however able to get it to work if I remove the $IDENTITY_CENTER_REGION component from the PrincipalArn and use the following format:

```
arn:aws:iam::$ACCOUNT_ID:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_$PERMISSION_SET_NAME_*
```

I see [others have had similar difficulties getting this to work](https://stackoverflow.com/questions/73960189/assuming-roles-when-logged-in-via-iam-identity-center#:~:text=So%20I%20tried%20different%20patterns%20and%20answers%20in%20this%20question%20thread%20but%20nothing%20really%20worked%20for%20me.).

Is the documented ARN format incorrect? Or is there some configuration step I may have missed that leads to this difference?

Thanks for the help!

Accepted Answer

Hello.

In my environment, I was able to perform AssumeRole with the following trust policy.  
My IAM Identity Center uses Tokyo as the region.  
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$ACCOUNT_ID:role/aws-reserved/sso.amazonaws.com/ap-northeast-1/AWSReservedSSO_AWSAdministratorAccess_xxxxxxx"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

What region are you using with IAM Identity Center?  
According to the AWS blog below, it seems that there is no need for a region code in the case of us-east-1.  
https://aws.amazon.com/jp/blogs/containers/a-quick-path-to-amazon-eks-single-sign-on-using-aws-sso/  
> Note: If you configure SSO in a Region other than us-east-1, add the Region after “sso.amazonaws.com”. For example, for us-east-2, “…/sso.amazonaws.com/us-east-2/…”.

AWS Identity Center Assumed Role Principals

関連するコンテンツ