2 Answers
- Newest
- Most votes
- Most comments
1
We can make use of Permission Set in IAM Identity Center. After the user login the IAM Identity Center, they can select the Permission Set(role) to use and can also switch to another Permission Set that is assigned to them. For more details, refers to: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html
answered 2 years ago
0
Hi Ronald,
thanks for the answer. Is there any possibility to use an inline policy to switch the role for an IAM Identity Center user? I didn't see there is any ARN for the an IAM identity center user.
What I know that an IAM user can assume a role if needed. Ref.: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
answered 2 years ago
Relevant content
- asked 8 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
To Ronald's point, when you access a permission set in IAM Identity Center, you are effectively switching roles into an AWS account. Maybe you could explain a little more about what you are trying to accomplish by switching roles after authenticating to IAM Identity Center instead of using a permission set?
Identity Center users are only users in the context of Identity Center. They don't have ARNs. When you log into Identity Center and assume a permission set, you're assuming a role and the Identity Center username is used as the role session name.
Consider user John Doe with username john.doe@example[.]com. If they were to access an AdministratorAccess permission set for account 111122223333, the principal ARN would be something like: arn:aws:sts::111122223333:assumed-role/AWSReservedSSO_AdministratorAccess_XXXXXXXXXXXXX/john.doe@example[.]com. You could use that ARN in your policies.