- Newest
- Most votes
- Most comments
Yes, there is a way to associate variable values like key pairs with individual IAM Identity Center users.
When you create permission sets in IAM Identity Center, you can define variables that will be available to the IAM policies assigned to users through those permission sets. For example, you could define a variable called ${sso:user} that contains the username of the authenticated user. [1]
Then in your IAM policies, you can reference this variable to customize the resources a user has access to based on their identity. For the scenario you described, you could create a policy that allows modifying security group rules where the rule ID contains the ${sso:user} variable.
For example:
{ "Version": "2012-10-17", "Statement": [ { "Action": "ec2:AuthorizeSecurityGroupIngress", "Resource": "arn:aws:ec2:*:*:security-group-rule/sgr-${sso:user}", "Effect": "Allow" } ] }
This would allow each IAM Identity Center user to only modify rules associated with their own username. The key is defining variables in your permission sets that are then available to customize access in IAM policies. Let me know if any part needs variables in your permission sets that are then available to customize access in IAM policies. Let me know if any part needs more explanation! [2]
Sources
[1] Limit IAM Identity Center Users to defined Region | AWS re:Post repost.awsquestionsQU5wjaO6vZR7Kx7SUULYYjrwlimit-iam-identity-center-users-to-defined-region
[2] Identity-based policy examples for IAM Identity Center - AWS IAM Identity Center docs.aws.amazon.comsinglesignonlatestiam-auth-access-using-id-policies.html
Relevant content
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
Many thanks for the prompt reply Ibrahim. The details kindly provided are consistent with what I know, but what is missing - and the bit I am in need of knowing - is how to I assign a unique value to the variable? In IAM Identity Center I am aware that there are a number of fields under headings Primary information, Contact methods, Job-related information etc. that can be used, but if I want a variable name "abcxyz" associated with each user and that contains a unique value where/how do I declare that?