By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

sts:AssumeRolewithSAML using aws:PrincipalOrgID

0

I am using aws-azure-login and and below assumerole works { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:saml-provider/AzureAD-SSO" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "SAML:aud": [ "https://signin.aws.amazon.com/saml" ] } } } ] }

But I get access denied if I try to use aws:PrincipalOrgID

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:saml-provider/AzureAD-SSO" }, "Action": "sts:AssumeRoleWithSAML", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-xxxxx", "SAML:aud": [ "https://signin.aws.amazon.com/saml" ] } } } ] }

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceIAM Policies
Language
English
VS
asked 8 months ago125 views
1 Answer
0

Based on the information provided, it appears that the aws:PrincipalOrgID condition key is not be applicable when using SAML federation with AWS. This condition key is typically used to restrict access based on the AWS organization that the principal belongs to, but in the case of SAML federation, the principal is the external SAML identity provider (IdP), not an AWS account or organization.

Instead of using aws:PrincipalOrgID, you should just use the SAML:aud condition key to specify the intended audience for the SAML assertion, which is typically the AWS sign-in endpoint (https://signin.aws.amazon.com/saml). The trust policy you provided with the SAML:aud condition key should work for SAML federation with AWS.

[1] aws:PrincipalOrgID- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principalorgid

AWS
Sakshi M
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content