Hello,
I am in the process of transitioning from regular account-level IAM to using AWS IAM Identity Center. I have set up a Permission Set with a couple of Customer Managed Policies (CMPs) attached. My goal is to use Attribute-Based Access Control (ABAC) within a CMP to allow individual users to login to Redshift by calling redshift:GetClusterCredentials, but only when requesting credentials for the Redshift username that matches their AWS username.
I am trying to follow along with this checklist which says:
You can refer to the access control attributes in the permissions policy using the aws:PrincipalTag/key condition.
Similarly, this documentation seems to say that ABAC in Identity Center can be achieved by referencing the PrincipalTags in policy conditions.
So, I have created an attribute in Identity Center called "username" which has the value ${path:userName}
. Then, I have written the following condition in one of the CMPs that allows a user to call redshift:GetClusterCredentials on a specific Redshift cluster/db resource:
"Condition": {
"StringEquals": {
"aws:PrincipalTag/username": "${redshift:DbUser}"
}
}
In the CLI, the request looks something like aws redshift get-cluster-credentials --db-user myusername --db-name mydbname --cluster-identifier myclusterid
. With this example, the request should only succeed when the user making the request has the username myusername
.
However, when I make the request, I get the following error:
when calling the GetClusterCredentials operation: User: arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_MyPermissionSetName_xxxxxxxx/myusername is not authorized to perform: redshift:GetClusterCredentials on resource: arn:aws:redshift:my-region-1:1234567890:dbuser:myclusterid/myusername because no identity-based policy allows the redshift:GetClusterCredentials action
When I view the event log in CloudTrail, I can see that no PrincipalTags are getting passed along to the Identity Center-generated Role assumed by the user via Identity Center federation. It seems the only place where those PrincipalTags show up is in the initial AssumeRoleWithSAML event that occurs when a user initially logs into a specific AWS Account Console using Identity Center.
I have seen a couple of AWS blogs with examples of policies that reference PrincipalTags for ABAC with Identity Center federation (here and here), but both examples are before CMPs were rolled out as a feature in July of 2022. So I'm not sure exactly how those examples should translate for use in CMPs. What I'm currently doing obviously is not working.
So, my question is: how do you use ABAC to restrict individual user-level access to resources in AWS IAM Identity Center Customer Managed Policies? Any help here would be greatly appreciated.