1 Answer
0
Yes, it is possible (I've just tried it in a test account). Even though the ARN that you see as an SSO federated user ens in federated-user/role_name/user you would still use the ARN of the role used by SSO. Once you've added it in, on the Data Lake administrative is should show up as Type: SSO User.
arn:aws:iam::<account-id>:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_<permission-set-based-role-name>
answered 10 months ago
Relevant questions
AWS SSO Access for Linux?
asked 8 months agoIs it possible to give all privileges of a specific user to a specific user in aws rds oracle?
Accepted Answerasked 13 days agoIs it possible to give AWS SSO users Lake Formation data access?
asked 10 months agoIs it possible to map the group as an attribute?
asked 19 days agoIs it possible for AWS to reset the user portal URL in SSO?
Accepted Answerasked 4 months agoIs it possible to specify DB snapshot in AWS Lake Formation?
Accepted Answerasked 2 years agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked 5 months agoMigrate IAM Users to AWS SSO
asked 4 months agoLake Formation federated access
Accepted Answerasked 2 months agoIs it possible to ingest data using Kinesis Data streams without creating an IAM user?
asked 4 months ago
wouldn't that still just be the role? I am looking to see if it is possible to have user level permissions.
Ah. I see, sorry I misunderstood the actual ask of the question. So in this situation what I would suggest as an approach would be to use the ARN of the role as the trusted principle, but then using SSO session attributes to restrict the IAM policy of the federated users. So for example, From the data lakes perspective, the role is a trusted principal, but the role only grants permissions to federated users who have a certain session attribute. (That could be a custom field, or a username depending on the level of fine grained control that you want)
You're effectively pushing the user level permissions into your IAM policy.