Role switch IAM Identity Center user

0

Hi,

is it possible to let the user from IAM Identity Center to get its role switched? How to setup the policy and permission? Any best practice? Thanks

2 個答案
1

We can make use of Permission Set in IAM Identity Center. After the user login the IAM Identity Center, they can select the Permission Set(role) to use and can also switch to another Permission Set that is assigned to them. For more details, refers to: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html

AWS
已回答 1 年前
profile picture
專家
已審閱 1 個月前
0

Hi Ronald,

thanks for the answer. Is there any possibility to use an inline policy to switch the role for an IAM Identity Center user? I didn't see there is any ARN for the an IAM identity center user.

What I know that an IAM user can assume a role if needed. Ref.: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html

已回答 1 年前
  • To Ronald's point, when you access a permission set in IAM Identity Center, you are effectively switching roles into an AWS account. Maybe you could explain a little more about what you are trying to accomplish by switching roles after authenticating to IAM Identity Center instead of using a permission set?

  • Identity Center users are only users in the context of Identity Center. They don't have ARNs. When you log into Identity Center and assume a permission set, you're assuming a role and the Identity Center username is used as the role session name.

    Consider user John Doe with username john.doe@example[.]com. If they were to access an AdministratorAccess permission set for account 111122223333, the principal ARN would be something like: arn:aws:sts::111122223333:assumed-role/AWSReservedSSO_AdministratorAccess_XXXXXXXXXXXXX/john.doe@example[.]com. You could use that ARN in your policies.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南