Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to use AssumeRoleWithWebIdentity with different permissions for different users?

0

We are currently using AssumeRoleWithWebIdentity with a web application. The issue which we see is that every user who is logged into our web application is having same permissions mapped to the target IAM role.

Is there any way to configure the target IAM role in a way so that each user is having different sets of permissions? E.g. one user can create a vpc while other user can only fetch the list of vpcs. Permissions should be mapped to the email id of the logged in user.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
asked 2 years ago2.1K views
2 Answers
1
Accepted Answer

To configure different permissions for different users when using AssumeRoleWithWebIdentity, you can use a combination of IAM roles, policies, and AWS Identity and Access Management (IAM) condition keys. The main idea is to use session tags and conditions in your IAM policies to grant different permissions based on the user's identity (e.g., email ID).

Here's a step-by-step approach to achieving this:

1. Create a Role with a Trust Policy:

Create an IAM role that allows web identity federation and includes a trust policy that trusts the identity provider (IdP) you are using (e.g., Amazon Cognito, Google, etc.).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::YOUR_ACCOUNT_ID:oidc-provider/YOUR_IDP_PROVIDER"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "YOUR_IDP_PROVIDER:sub": "YOUR_IDP_SUB_IDENTIFIER"
        }
      }
    }
  ]
}

2. Attach Policies to the Role:

Attach policies to this role that allow the necessary actions but use IAM condition keys to restrict access based on the user's identity. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVpc",
        "ec2:DescribeVpcs"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Email": "user1@example.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcs"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Email": "user2@example.com"
        }
      }
    }
  ]
}

3. Include Session Tags:

When calling AssumeRoleWithWebIdentity, pass session tags that include the email ID of the user. Here's an example of how to do this using AWS SDK for Python (boto3):

import boto3

client = boto3.client('sts')

response = client.assume_role_with_web_identity(
    RoleArn='arn:aws:iam::YOUR_ACCOUNT_ID:role/YOUR_ROLE_NAME',
    RoleSessionName='web-identity-session',
    WebIdentityToken='YOUR_WEB_IDENTITY_TOKEN',
    DurationSeconds=3600,
    Tags=[
        {
            'Key': 'Email',
            'Value': 'user1@example.com'
        }
    ]
)

credentials = response['Credentials']

This will create a session where the Email tag is set to user1@example.com.

4. Modify IAM Policies with Conditions:

Ensure your IAM policies are structured to check for these session tags. Here is an updated example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:CreateVpc",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/Email": "user1@example.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:DescribeVpcs",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/Email": "user2@example.com"
        }
      }
    }
  ]
}

By using session tags and IAM conditions, you can ensure that different users have different permissions based on their email ID. Adjust the IAM policies and session tags as necessary to fit your specific requirements.

EXPERT
answered 2 years ago
EXPERT
reviewed a year ago
  • Shailendra Singh
    2 years ago

    In my case, we have users onboarded as IAM users and permissions are assigned to IAM users either directly or through user groups. Is there any way to assume identity of a IAM user to simulate CLI behaviour where using an IAM user credentials provides you access to the data for that particular IAM user only?

  • LWfromAWS
    a year ago

    Tags are not a parameter you pass in when calling AssumeRoleWithWebIdentity. This code sample does not work as advertised.

0

Appreciate your detailed response. It's very helpful.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content