By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SSO Users assumeRole in other aws accounts

0

Let say i have an aws account A of Organisation A from where the Identity Center users login and can assume roles using the policies (trust relationship estableshed from these target account) to other aws accounts into another organisation B.

crossAccountPolicy in account A of organisation A -> assume roles in accounts of organisation B

I know using the permission set with type customer-managed policy, but how do we establish the trust relationship in the accounts of organisation B?

What i tried: in the target accounts of organization B, i specified in the trust relationship policy of the assumed role

{
    "Version": "2012-10-17",
    "Statement": [        
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{account A of organization A}:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnLike": {
                    "aws:PrincipalArn": "arn:aws:iam::{account A of organization A}:assumed-role/AWSReservedSSO_*"
                }
            }
        }
    ]
}

Source: https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html

I tried the one from below also, but unable to switch role from the permission set [crossAccountPolicy - assigned with this policy] https://repost.aws/questions/QUjRg7Qi9kTVO-IaYeUUTW3Q/allow-assumerole-from-an-assumed-sso-generated-role-solved

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS OrganizationsAWS Account ManagementIAM Policies
Language
English
Vincent Chu
asked 10 months ago798 views
1 Answer
0

According to the documentation, the following trust policies should be set.
That is, arn must contain sso.amazonaws.com/<aws-region>/.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnLike": {
          "aws:PrincipalArn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_AdministratorAccess_*"
        }
      }
    }
  ]
}
profile picture
hayao-k
answered 10 months ago
  • Vincent Chu
    10 months ago

    this part eu-west-2 i dont understand where they got this part?

  • Vincent Chu
    10 months ago

    the answer does not work at all, even if i used the assumed role of the permissionset arn for the trust relationship

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content