Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Policy variable for IAM Identity Center user

1

Hi there,

I used the following statement to allow IAM users to terminate their own ssm sessions.

{
  "Effect": "Allow",
  "Action": "ssm:TerminateSession",
  "Resource": "arn:aws:ssm:*:*:session/${aws:username}-*"
}

How can I achieve the same result for IAM Identity Center users? The problem is for these users, I can't find the correct policy variable to use in Resource element.

Thank you.

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAWS Identity and Access ManagementAWS Systems ManagerIAM Policies
Language
English
asked a year ago985 views
2 Answers
0

Hi,

My understanding (but I couldn't try....) is that a IAM Identity Center user is in Category FederatedUser for the table Principal key values in page https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

In that case, aws:username is not present but aws:userid is valued with account:caller-specified-name

Please, try and let us know!

Best,

Didier

EXPERT
answered a year ago
EXPERT
reviewed a year ago
  • AKMin
    a year ago

    Hi, Didier. I tried that, and it didn't work. An ssm session id looks like this, username-123456. I think {aws:userid} is valued with not just the username. So, if we do {aws:userid}-123456, it will look like this, accountID:username-123456. I think if we can get only the username part, it should work.

0

When working with AWS IAM Identity Center (formerly AWS SSO), you can still achieve the desired policy configuration for allowing users to terminate their own SSM sessions. However, instead of using ${aws:username}, you'll use a different policy variable that represents the Identity Center user.

AWS provides a few IAM policy variables specific to Identity Center, such as ${aws:userid}, ${aws:sub}, and ${aws:principalTag/*}. Among these, ${aws:userid} can often be used effectively to represent the Identity Center user.

Here’s how you can modify your policy to allow IAM Identity Center users to terminate their own SSM sessions:

{
  "Effect": "Allow",
  "Action": "ssm:TerminateSession",
  "Resource": "arn:aws:ssm:*:*:session/${aws:userid}-*"
}

In this policy:

  • ${aws:userid} will be replaced with the unique identifier of the Identity Center user.
  • The ssm:TerminateSession action is allowed on resources that match the ARN pattern arn:aws:ssm:*:*:session/${aws:userid}-*.

This approach would require that the users have the username tag correctly set in their Identity Center attributes.

By utilizing the correct policy variables, you can effectively manage permissions for IAM Identity Center users similarly to traditional IAM users.

AWS
answered a year ago
EXPERT
reviewed a year ago
  • AKMin
    a year ago

    Thanks for your answer. I have already tried that but it didn't work. Let's say the username is dev. Then, the ssm session id will be something like this, dev-123456. But, I think ${aws:userid} returns not just the username. So, using ${aws:userid}-* will give us a string which is different from the session id. For example, it might be 999999:dev-123456; not dev-123456.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content