2 回答
- 最新
- 投票最多
- 评论最多
1
We can make use of Permission Set in IAM Identity Center. After the user login the IAM Identity Center, they can select the Permission Set(role) to use and can also switch to another Permission Set that is assigned to them. For more details, refers to: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html
已回答 1 年前
0
Hi Ronald,
thanks for the answer. Is there any possibility to use an inline policy to switch the role for an IAM Identity Center user? I didn't see there is any ARN for the an IAM identity center user.
What I know that an IAM user can assume a role if needed. Ref.: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
已回答 1 年前
相关内容
AWS 官方已更新 3 年前- AWS 官方已更新 8 个月前
- AWS 官方已更新 5 个月前
- AWS 官方已更新 1 年前
To Ronald's point, when you access a permission set in IAM Identity Center, you are effectively switching roles into an AWS account. Maybe you could explain a little more about what you are trying to accomplish by switching roles after authenticating to IAM Identity Center instead of using a permission set?
Identity Center users are only users in the context of Identity Center. They don't have ARNs. When you log into Identity Center and assume a permission set, you're assuming a role and the Identity Center username is used as the role session name.
Consider user John Doe with username john.doe@example[.]com. If they were to access an AdministratorAccess permission set for account 111122223333, the principal ARN would be something like: arn:aws:sts::111122223333:assumed-role/AWSReservedSSO_AdministratorAccess_XXXXXXXXXXXXX/john.doe@example[.]com. You could use that ARN in your policies.