tagging a AWSReservedSSO role wit SSMSessionRunAs

Question

Hi,
I'm working with AWS SSO based on Jumpcloud external Idp.
I'd like to find a way to put the tag SSMSessionRunAs tag to the AWSReservedSSO role created by SSO into AWS accounts.
If I try to put the tag directly I receive:
"Cannot perform the operation on the protected role 'AWSReservedSSO_xxxxx' - this role is only modifiable by AWS"

Someone know a way to do that ? Or maybe a "plan B" or a way to add the tag SSMSessionRunAs ?

Thanks a lot
Dario

Answer

Assume you want to use this for SSM and not only for tagging - this [post](https://aws.amazon.com/blogs/security/configure-aws-sso-abac-for-ec2-instances-and-systems-manager-session-manager/) describes the process with Okta but it should be quite similar with JumpCloud. You can provide the attribute as part of the assertion and then leverage it in the Permission Set.

tagging a AWSReservedSSO role wit SSMSessionRunAs

相关内容