By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Default role/permission provisioning for external IDP users

0

Hi, I have integrated google sso with aws sign-in using https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html guide. However, to make this system even better I would like to assign default permissions to the users without requiring admin approval. For example, anyone coming through google sso has readOnly permissions. Can someone please guide me on how to do that?

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Ayush
asked a month ago19 views
1 Answer
0

To assign default roles/permissions to users who authenticate via an external Identity Provider (IDP) like Google SSO in AWS Single Sign-On (SSO), without requiring admin approval, you can configure the AWS SSO Permission Sets and assign default roles to new users as they authenticate. Here's how you can do it:

Steps to Assign Default Permissions to Google SSO Users: Configure AWS SSO with Google as an Identity Provider (IDP): Since you already followed the AWS SSO and Google SSO integration guide, this step should already be complete. You would have set up Google as an identity provider in AWS SSO.

Create a Permission Set in AWS SSO: AWS SSO uses Permission Sets to define roles and permissions for users in AWS accounts. You can create a permission set for the default role you want to assign to Google SSO users.

Go to the AWS SSO dashboard. Under AWS SSO, go to Permission sets. Click on Create permission set. Choose a Standard Permission Set (e.g., ReadOnlyAccess for a read-only role) or Custom to define specific policies. If you select Custom, you can create your own policies (e.g., a custom read-only policy for your use case). Complete the setup and save the permission set. Assign Permission Set to Google SSO Users: Now that you have the permission set, you can assign it to the users authenticated through Google SSO. Go to Users in the AWS SSO dashboard. Select Assign users. Choose Google SSO users from the list of users (you’ll see them once they sign in using Google). Select the permission set you created (e.g., ReadOnlyAccess).

You can assign this permission set to a specific AWS account or to all accounts based on your needs. Configure Automatic Role Assignment: To make this process automated (without requiring admin approval each time), follow these steps: In AWS SSO, under Applications, navigate to the Google SSO application. Choose Assignments and configure automatic assignment to ensure all new Google SSO users are assigned the default permission set automatically. Test the Setup: After these configurations, test the system by having a new user authenticate via Google SSO. The user should automatically be assigned the ReadOnly permissions (or whatever permission set you’ve configured). Audit and Fine-Tune: You can use AWS CloudTrail to log and monitor which users are being assigned which permissions, and make adjustments if needed.

regards, M Zubair https://zeonedge.com

M Zubair Bin Ramzan
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content