Is there a way to correlate IAM roles created by IAM IdentityCenter (IDC) and the Permission Set?

0

I have an account structure like this:

  • management (management account)
    • development
    • production

I am using AWS IAM IdentityCenter (IDC) to manage access to these accounts and so far, everything is working as expected. I have a permission set named infra-admin, an IdentityStore group named global-infra-admin, and account assignments for each of the accounts. The assignments are bound to built-in AWS IAM policies.

In a previous question I was able to figure out how to set up EKS access using IAM IdentityCenter roles.

The problem I have discovered is that in order to grant access into EKS, one needs an actual IAM role ARN, and while IAM IdentityCenter does create these roles in each account there is a binding for, there is no way to determine the IAM roles that exist per-account for a given permission set. As I'm doing everything in Terraform, and I need to grant access into EKS for each of these roles, I need the actual role ARNs, and I can't find a way to get these role ARNs from IdentityCenter APIs, CLI, or Terraform provider.

Since I have N AWS accounts and I will have M permission sets, determining these role ARNs is going to be an extremely tedious and error-prone process.

The best solution I have come up with is to do something like this:

provider aws {
  alias = mgmt
}

provider aws {
  alias = account_dev
}

provider aws {
  alias = prod
}

data aws_iam_roles infra_admin_mgmt {
  provider = aws.mgmt
  name_prefix =  'AWSReservedSSO_infra-admin_[a-f0-9]+'
}

data aws_iam_roles infra_admin_dev {
  provider = aws.account_dev
  name_prefix =  'AWSReservedSSO_infra-admin_[a-f0-9]+'
}

data aws_iam_roles infra_admin_prod {
  provider = aws.prod
  name_prefix =  'AWSReservedSSO_infra-admin_[a-f0-9]+'
}

The only other alternative seems to be running an AWS CLI script to find these in a similar fashion.

Is there a way to determine the unique IAM role ARNs for each account in which the permission set is bound?

1 Answer
0

Unfortunately there is no way to pre-determine the random ids at the end of the role that IDC creates in the accounts. This document explains how to reference that role and it has an example of using wildcard to match those roles: https://docs.aws.amazon.com/singlesignon/latest/userguide/referencingpermissionsets.html

AWS
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions