How to use Okta username in IAM policy?

1

I am using Federated Identity with Okta being the IDP. I would like to add an Identity based policy which provides access to resources which are tagged with the user's Okta username. For each resource, I want to set the tag username and give it a value of the user who needs to access it.
"Condition": { "StringEquals": {"aws:ResourceTag/username": "${????}"} }

What should I add to the StringEquals condition so that the Okta username gets used?

asked a year ago249 views
1 Answer
0

I'm not sure if/how the username comes through from Okta in the SAML assertion, but you can access various attributes from it in an IAM policy [1]. The username would generally be the SAML subject, so ${saml:sub} is worth a try. You can use a tool like SAML Tracer to examine the response and determine which attribute is best [2].

There is additional AWS guidance on uniquely identifying SAML federated users here: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-userid and more general information about policy variables here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-infotouse

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-saml
[2] https://developer.okta.com/docs/guides/saml-tracer/main/

Ed
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions