- Newest
- Most votes
- Most comments
A federated identity is a user that can access secure AWS account resources with external identities. External identities can come from a corporate identity store (such as LDAP or Windows Active Directory) or from a third party (such as Login in with Amazon, Facebook, or Google). Refer Federated Identity Overview for more details.
From the Policy Evaluation Logic document, i"m picking up the statement as following:
Principal – The user, role, federated user, or application that sent the request. Information about the principal includes the policies that are associated with that principal.
User: IAM User(Native to AWS) Role: IAM Role(Role created at AWS, can be federated role via trust relationship eg SAML) Federated User: User whose authentication happens through Identity provider and authorization happens at AWS IAM side thorough trust relationship between IDP and IAM. Users who assume federated role, are also called federated user.
So, "IAM user who federated" means the user who logged in to AWS via authentication through corporate identity store not the user who configured federation.
Hope you find this helpful, let me know if you have any additional questions.
Hi, See https://aws.amazon.com/identity/federation/ for a detailled definition
Identity federation is a system of trust between two parties for the purpose
of authenticating users and conveying information needed to authorize their
access to resources. In this system, an identity provider (IdP) is responsible for
user authentication, and a service provider (SP), such as a service or an application,
controls access to resources. By administrative agreement and configuration, the SP
trusts the IdP to authenticate users and relies on the information provided by the
IdP about them. After authenticating a user, the IdP sends the SP a message, called
an assertion, containing the user's sign-in name and other attributes that the SP
needs to establish a session with the user and to determine the scope of resource
access that the SP should grant. Federation is a common approach to building access
control systems which manage users centrally within a central IdP and govern their
access to multiple applications and services acting as SPs.
We have often the case where customers have Active Directory (on-prem or on-cloud) where identities are defined. AD is the IpP in that case. Those users will then user services on AWS under their AD id. So, this AD id is "federated" toward AWS, which trusts AD, and grants access tor resources based on the IAM credentials granted to those federated identities.
All it means is that when a user federates their access to AWS, the request or requests they make to AWS resources will be associated with their federated user identity represented by the federated user ARN, rather than the IAM user who facilitated the federated access.
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
Apologies but I am still not understanding. Let me elaborate: If a user's AWS login request is federated with AD, there is no IAM User ARN to be considered. The federated user never has an IAM User ARN. It only is given an IAM federated user session ARN. This is the ARN that must be used if you wish to grant the federated user access in a resource-based policy, like an S3 bucket policy. Is my understanding correct? Example of a IAM federated user session ARN would be: arn:aws:sts::111122223333:federated-user/exampleuser So it is not clear to me what this doc is referring to when it refers to the "ARN of the IAM user who federated". The "IAM user who federated" what?
It might feel like I am splitting hairs, but I am studying for an exam, and I need to understand these concepts. The wording just feels vague. Thanks in advance.