Access Control in Secrets Manager for Federated Users


My scenario: I have my users in Azure AD. This is connected to AWS Single Account SSO into an AWS Account using IAM SAML IDP (PS: we are not using AWS SSO Service). We are using AWS Secrets Manager and want to store per user secret using a secret name path (eg /usersecrets/<azure_ad_username>/<secret_name> When the users login using Azure AD auth, they automatically assume the IAM Role attached. I would like to do the following:


  1. Allow users to list secrets, create secrets and get secret value for any secret which has a name /usersecrets/<azure_ad_username>/* (here the azure_ad_username is what AWS session sees when the assume role to login)
  2. Deny access to any secret unless the request is coming from Federated user (i.e local IAM users in AWS account should not be able to see any secret in path /usersecrets/<azure_ad_username>/*

Requirement2: In addition to the federates Azure AD users, I also want to allow a EC2 Instance Role to be able to Get/List/Describe any secret. This EC2 role is in same AWS account where secrets are and is attached to all Windows Servers. This IAM role is to allow SSM Run commands to execute on these Windows machines and fetch the secrets values (eg, to get the secret of a user and create a local windows user with same name and password as it is in secret manager using powershell.

Questions: Can you help with some sample IAM Policy for the role or the secret manager resource policy I can use to meet both the requirements?

2 Answers

You can use the concept of a Token Vending Machine (see here to create dynamic policies for users when you federate it.

For the EC2 Role, see examples here:

profile pictureAWS
answered 2 years ago
profile pictureAWS
reviewed 2 years ago

I was trying to set this up using Google Workspace, so pretty similar. I was hoping that setting a policy either in IAM Identity Center or directly on the secret if needed, using aws:PrincipalTag with a custom SAML attribute would do the trick. So far zero success, because of lack of knowledge I suppose. The solution of TVM is grossly overkill for my use case, is it the only way?

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions