How do I parse multiple group claims from an OIDC Token/Provider into an IAM Policy?

0

Suppose you want to use the "groups" claim from your OIDC provider to dictate resource access for your IAM role.

i.e. if you're in group A, you can touch resource A. A user could be in groups A, B, and C all at the same time.

All of the IAM examples so far seem to assume that a user has a single group or department attribute that dictates access (i.e. bob's department=accounting), instead of multiple (i.e. bob's departments=[accounting]). Usually this is never the case in reality and doesn't seem applicable to hardly any use cases.

Furthermore it seems that mapping the "groups" claim in an OIDC provider with Cognito Identity pools transcribes the array to a singular string (i.e. the array [groupA, groupB, groupC] is parsed to the literal string "["groupA", "groupB", "groupC"]", which is near impossible to use in IAM roles when checking access levels due to a lack of advanced string parsing.

Any ideas? Is this just not a thing in IAM? Can you just simply not use the groups claim from an OIDC provider?

1 個回答
0

Assuming you are using cognito for authN and implementing groups to assign roles , you have the option of using priority with in your roles. If that does not suffice you can implement RBAC as defined https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html .

profile pictureAWS
已回答 2 年前
  • RBAC still caps out at 25 rules -> 25 roles per OIDC provider, right? So if you had more than 25 possible groups this wouldn't be a practical solution either.

    It also forces you to "pick" a single role to sign in as at a time, instead of utilizing the credentials of multiple, which isn't ideal.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南