SSO Users assumeRole in other aws accounts

0

Let say i have an aws account A of Organisation A from where the Identity Center users login and can assume roles using the policies (trust relationship estableshed from these target account) to other aws accounts into another organisation B.

crossAccountPolicy in account A of organisation A -> assume roles in accounts of organisation B

I know using the permission set with type customer-managed policy, but how do we establish the trust relationship in the accounts of organisation B?

What i tried: in the target accounts of organization B, i specified in the trust relationship policy of the assumed role

{
    "Version": "2012-10-17",
    "Statement": [        
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::{account A of organization A}:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnLike": {
                    "aws:PrincipalArn": "arn:aws:iam::{account A of organization A}:assumed-role/AWSReservedSSO_*"
                }
            }
        }
    ]
}

Source: https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html

I tried the one from below also, but unable to switch role from the permission set [crossAccountPolicy - assigned with this policy] https://repost.aws/questions/QUjRg7Qi9kTVO-IaYeUUTW3Q/allow-assumerole-from-an-assumed-sso-generated-role-solved

1 Answer
0

According to the documentation, the following trust policies should be set.
That is, arn must contain sso.amazonaws.com/<aws-region>/.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnLike": {
          "aws:PrincipalArn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_AdministratorAccess_*"
        }
      }
    }
  ]
}
profile picture
hayao-k
answered 8 months ago
  • this part eu-west-2 i dont understand where they got this part?

  • the answer does not work at all, even if i used the assumed role of the permissionset arn for the trust relationship

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions