Suppose you want to use the "groups" claim from your OIDC provider to dictate resource access for your IAM role.
i.e. if you're in group A, you can touch resource A. A user could be in groups A, B, and C all at the same time.
All of the IAM examples so far seem to assume that a user has a single group or department attribute that dictates access (i.e. bob's department=accounting), instead of multiple (i.e. bob's departments=[accounting]). Usually this is never the case in reality and doesn't seem applicable to hardly any use cases.
Furthermore it seems that mapping the "groups" claim in an OIDC provider with Cognito Identity pools transcribes the array to a singular string (i.e. the array [groupA, groupB, groupC] is parsed to the literal string "["groupA", "groupB", "groupC"]", which is near impossible to use in IAM roles when checking access levels due to a lack of advanced string parsing.
Any ideas? Is this just not a thing in IAM? Can you just simply not use the groups claim from an OIDC provider?
AWS 官方已更新 2 年前
RBAC still caps out at 25 rules -> 25 roles per OIDC provider, right? So if you had more than 25 possible groups this wouldn't be a practical solution either.
It also forces you to "pick" a single role to sign in as at a time, instead of utilizing the credentials of multiple, which isn't ideal.