By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can we apply role to IDP users

0

ENVIRONMENT

  • We have a external Active Directory connected with AWS with SSO and we able to login with the external Active Directory users
  • We have a role created with a attached policy. The policy has only start & stop permission of EC2 instance QUERY We want to assign a existing/created role to external Active Directory users. I am not able to get a way forward. Please advise
  • Adeleke Adebowale J EXPERT
    3 months ago

    From :- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_tag-owner.html

    If you want to provide EC2 start and stop permissions to users from an external Active Directory, you can follow these general steps:

    1. Create an AWS SSO Permission Set:

      • In AWS SSO, create a permission set that includes the permissions (start and stop EC2 instances) you want to grant.

    2. Assign Permission Set to Users:

      • Assign the permission set to the users from your external Active Directory. This association will grant them the specified permissions.

    3. Create IAM Role with EC2 Permissions:

      • Create an IAM role with the desired EC2 permissions. This IAM role will be assumed by the EC2 instances when started or stopped.

    4. Trust Relationship:

      • Modify the trust relationship of the IAM role to allow AWS SSO to assume the role on behalf of the users. The trust relationship might look something like this:

        {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<ACCOUNT_ID>:sso.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "ssosso.amazonaws.com:aud": "app/<SSO_APP_ID>"
        }
      }
    }
  ]
}

        Replace <ACCOUNT_ID> with your AWS account ID and

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
ZAHIDHASEEB
asked 3 months ago119 views
3 Answers
1

In AWS, access to resources, including EC2 instances, is controlled by AWS Identity and Access Management (IAM). IAM allows you to manage access to AWS services and resources securely. Whether you can see or get access to EC2 instances created by another AWS user depends on the IAM policies associated with your IAM user or role Aws documentation will guide you more about this :- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html

profile picture
EXPERT
Adeleke Adebowale J
answered 3 months ago
0

Hi Debolek,

I am almost done. is it possible that I can see or get access to EC2 created by another AWS user ?

ZAHIDHASEEB
answered 3 months ago
0

Hope it clarifies and if does I would appreciate answer to be accepted so that community can benefit for clarity, thanks ;)

profile picture
EXPERT
Adeleke Adebowale J
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content