deny access to a specific idp provider while creating an iam role

0

Hello All,

Using Landing Zone. Each sub account has its own admin users. I would like to implement this as a service control policy from the main account.

We have a job workflow in github actions which requests an access token from the AWS IdP provider that we created at our end. This short lived access token is then passed on to an IAM role which has been mentioned in the github workflow. As part of creating the trust relationship of this IAM role, our ORG repo needs to be mentioned. However, this trust relationship can either be edited or a 2nd role with web identity federation can be created to bypass this trust relationship. This way the role can actually be used on via a public repo as well.

I would like to deny access to a specific IdP provider while creating an IAM role.

sample code

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::ACCOUNT_ID:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:ORG/*"
                }
            }
        }
    ]
}

Using the UpdateAssumeRolePolicy IAM action I can deny any the ability to edit the trust relationship, however, as a work around, admin users can still create a role with a custom string.

Let me know if you need any further information

Thanks

dsids

1 Answer
0

Hello,

Thank you for contacting us! I understand that you would like to deny access to a specific IdP provider while creating an IAM role.

I would like to share with you that unfortunately, it is not possible to restrict the control on specific Identity Provider when creating a role.

When you start creating a role (via Console), it starts with making a selection on the trusted entity and provides you with the following 5 Trusted entity types:

  1. AWS service
  2. AWS account
  3. Web identity
  4. SAML 2.0 federation
  5. Custom trust policy

Due to process-flow requirements (of "iam:CreateRole"), it is not possible to restrict the selection of a particular available resources in the drop-down for any of these above 5 Trusted entity types. Hence, your use-case cannot be met. I highly regret for the inconvenience this may have caused to you.

Next, you may please refer the document [1] which defines all the supported Condition Keys on the reource/s for the respective API ("iam:CreateRole" here). If you note, "iam:CreateRole" doesn't have any condition key which can enforce restrictions on the Identity Provider.

Reference:

[1] Actions, resources, and condition keys for Identity And Access Management: https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html

If the suggestions above was not adequate to address your concern, I request you to please create a support case instead, with us, so that we can discuss it further.

Please do not post any sensitive information over re:Post since this is a public platform. Please don't hesitate to reach back with any further questions or concerns and we will be glad to assist you accordingly.

Thank you.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions