Is it possible to give AWS SSO users Lake Formation data access?
Is it possible to assign data permissions to an AWS SSO user by using their federated user arn? If so, please can you advise of the format.
It's possible to assign an AWS SSO created role (permission set) data permission in Lake Formation as it is available as a drop down from IAM, but the user is not available in that list. The top right drop down gives is labelled as a federated user in the pattern of: <IAM_ROLE_FROM_SSO>/<USER> but baking that into an arn like: arn:aws:iam:ACCOUNTID:federated-user/<IAM_ROLE_FROM_SSO>/<USER> is unfortunately not recognised by Lake Formation ui.
Could anyone provide any pointers how we could give single users data permissions when they are AWS SSO users please?
Yes, it is possible (I've just tried it in a test account). Even though the ARN that you see as an SSO federated user ens in federated-user/role_name/user you would still use the ARN of the role used by SSO. Once you've added it in, on the Data Lake administrative is should show up as Type: SSO User.
wouldn't that still just be the role? I am looking to see if it is possible to have user level permissions.
Ah. I see, sorry I misunderstood the actual ask of the question. So in this situation what I would suggest as an approach would be to use the ARN of the role as the trusted principle, but then using SSO session attributes to restrict the IAM policy of the federated users. So for example, From the data lakes perspective, the role is a trusted principal, but the role only grants permissions to federated users who have a certain session attribute. (That could be a custom field, or a username depending on the level of fine grained control that you want)
You're effectively pushing the user level permissions into your IAM policy.
Is it possible to specify DB snapshot in AWS Lake Formation?Accepted Answerasked a year ago
Is it possible for AWS to reset the user portal URL in SSO?Accepted Answerasked 9 days ago
Is it possible to give AWS SSO users Lake Formation data access?asked 5 months ago
Redshift Spectrum Access to Lake FormationAccepted Answerasked 3 years ago
AWS SSO Access for Linux?asked 3 months ago
boto3 "logging" into the AWS SSOAccepted Answerasked 3 months ago
Is it possible to get temporary access keys without using "static" access keys?Accepted Answerasked 5 months ago
AWS Service Catalog. Grant SSO Users to the Portfolioasked a month ago
Is it possible to assign MFA for AWS IAM role?asked 4 months ago
Is it possible to ingest data using Kinesis Data streams without creating an IAM user?asked 2 days ago