By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Identity Center permission sets with aws sso login

0

I am trying to give additional permissions to a user logging in through "aws sso login". I have assigned a new permission set to the user in Identity Center:

Username / Group name.         PermissionSets
franck102   	                             PassmateSuperUser | PowerUserAccess

I don't understand the relationship between aws sso login and permission sets / roles... is the user assuming at most one role at a given time? I tried running assume-role and that failed.

How do I grant multiple roles/permission sets to a user from inside Identity Center?

aws sts assume-role --role-arn=arn:aws:sso:::permissionSet/ssoins-7223b12c125038c4/ps-faa46ae73e7f6f2e --role-session-name rsName

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::782843724418:assumed-role/AWSReservedSSO_PowerUserAccess_f25350ffe5da71ec/franck102 is not authorized to perform: sts:AssumeRole on resource: arn:aws:sso:::permissionSet/ssoins-7223b12c125038c4/ps-faa46ae73e7f6f2e
Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English
franck102
asked 10 months ago353 views
1 Answer
0

I will try to solve your doubts, assuming that you are using IdP like Okta.

aws sso login: is a command line that uses your credentials configured in .aws/config, you will have something like that: [profile account-name-A] sso_start_url = https://d-id.awsapps.com/start sso_region = eu-west-2 sso_account_id = account_num-A sso_role_name = roleX region = eu-west-2 output = text

[profile account-name-B] sso_start_url = https://d-id.awsapps.com/start sso_region = eu-west-2 sso_account_id = account_num-B sso_role_name = roleY region = eu-west-2 output = text

This process verifies the user's identity and generates temporary AWS credentials.

Permission-set: AWS SSO assigns one or more permission sets to the user. A permission set is a collection of permissions that define the user's access rights. There are composed of the permissions that you want that the users could do over the accounts, which could be formed by custom permissions and managed permissions (AWS scope)

That permission set could be attached to an account or accounts, depending on where you want that the user to access.

The role is not like the IAM, in sso there isn't a concept role.

Commands workflow aws sso login --> That opens your IDP to accept the access --> Introduce la descripción de la imagen aquí Then you could use the command like: aws s3 ls --profile account-name-B --> The profile name indicates the account and the role with which it is associated.

If you want aws sts assume-role, you need to configure the permission set to assume the role.

Judith
answered 10 months ago
  • franck102
    10 months ago

    There is definitely a concept of role in SSO, see the profile settings you mentioned: sso_role_name. But I agree that the AWS docs are really confusing around this.

    That parameter is required, and it takes a single value, so I am coming to the conclusion that a user logged in through SSO can only assume one permission set at a given time; so I have started customizing a single custom Permission Set by adding the policies I need to it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content