Assume Role for SSO Users

1

Is there available a functionality to make assume a (custom) role for SSO users now? It would help us to provide more granular permissions for users with specific roles.
I meant now, because there was already a similar question on old forum: https://forums.aws.amazon.com/thread.jspa?threadID=312303

BR

2 Answers
2

You cannot customize the name of roles still assumed by SSO, but the permissions of that role are all defined by your mappings in AWS SSO to the IAM policies defined for that group. With those SSO group to role mappings this would allow you to set granular access. Have you taken a look at this: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html

profile pictureAWS
EXPERT
Rob_H
answered 2 years ago
1

I have a need similar to what the requestor is asking for... Basically we want permission set to have capability to ONLY-ASSUME a limited set of roles. And then the user's real access is based on these ROLES. The main advantage of this is that you cannot add PermissionSet to an S3 Bucket Policy (AWS will delete/remake permission set roles randomly), but you can do this to regular role.

So, if we agree that PermissionSet roles should really just be "assume-only", then we would like AWS-SSO to automatically assume one or more roles after the user login -- maybe by setting the relay state or something in the AWS-SSO URL.

This is not possible today.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions