How to use Okta username in IAM policy?

Question

I am using Federated Identity with Okta being the IDP. I would like to add an Identity based policy which provides access to resources which are tagged with the user's Okta username.  For each resource, I want to set the tag username and give it a value of the user who needs to access it.   
`"Condition": {
                "StringEquals": {"aws:ResourceTag/username": "${????}"}
            }`

What should I add to the StringEquals condition so that the Okta username gets used?

Answer

I'm not sure if/how the username comes through from Okta in the SAML assertion, but you can access various attributes from it in an IAM policy [1]. The username would generally be the SAML subject, so `${saml:sub}` is worth a try. You can use a tool like SAML Tracer to examine the response and determine which attribute is best [2].

There is additional AWS guidance on uniquely identifying SAML federated users here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-userid and more general information about policy variables here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-infotouse

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-saml  
[2] https://developer.okta.com/docs/guides/saml-tracer/main/

How to use Okta username in IAM policy?

Conteúdo relevante