How to edit the tag of my SSO Permission Sets to share my redshift Queries

Hi,

As described in the AWS document [1], you can apply tags to permission sets only. You can't apply tags to the corresponding roles that AWS SSO creates in AWS accounts. Hence, when you add a tag to a permission sets, it does not reflect in the corresponding roles in IAM, and also were unable to add a tag directly to corresponding roles in IAM as the roles were created and managed by the AWS SSO service.

In this context, I would like to inform you that IAM Identity Center works different than IAM, it uses “User Property” instead of tags. And you also need to enable “Attributes for access control” to set attributes to link “Property” and tags that could be recognised in IAM.

Please following steps below to solve this issue :

1. For the user in IAM Identity Center, set the user property "Department" to “accounting-team” [Kindly change this according to your use case].[2] (This will be the attribute used with the sqlworkbench-team tag to share queries)
2. Enable Attribute-based access control (ABAC) in IAM Identity Center [3].
3. Configure a new attribute with key = sqlworkbench-team and Value = ${path:enterprise.department} [4]. In this case, I'm using the value of “property” Department set in step 1. So all users from the same Department will have access to the shared query. you could use any “property” based on your use case.

Please also check AWSReservedSSO role in IAM, it should not have any tags like sqlworkbench-team. It should have relevant policies to access Redshift and query editor v2.

Thank you.

[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html

[2] https://docs.aws.amazon.com/singlesignon/latest/userguide/edituser.html

[3] https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html#enable-abac

[4] https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html#configure-abac-attributes