By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Identity Center user variable

0

Is there a way to associate a variable value, i.e. key pair, with an individual IAM Identity Center user?

The situation I am trying to resolve is to give each individual IAM Identity Center user the ability to update their personal IP address in the security group that controls access to our bastion host. Restricting to the Security Group is easy enough, but I want to limit users to modifying only their particular Security Group Rule. To do this I need to associate a particular sgr- value with each user which is then used as part of a resource ARN.

Topics
ComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon EC2AWS IAM Identity CenterIAM PoliciesSecurity Group
Language
English
GSC
asked 2 months ago242 views
1 Answer
0

Yes, there is a way to associate variable values like key pairs with individual IAM Identity Center users.

When you create permission sets in IAM Identity Center, you can define variables that will be available to the IAM policies assigned to users through those permission sets. For example, you could define a variable called ${sso:user} that contains the username of the authenticated user. [1]

Then in your IAM policies, you can reference this variable to customize the resources a user has access to based on their identity. For the scenario you described, you could create a policy that allows modifying security group rules where the rule ID contains the ${sso:user} variable.

For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:AuthorizeSecurityGroupIngress", 
      "Resource": "arn:aws:ec2:*:*:security-group-rule/sgr-${sso:user}",
      "Effect": "Allow"
    }
  ]
}

This would allow each IAM Identity Center user to only modify rules associated with their own username. The key is defining variables in your permission sets that are then available to customize access in IAM policies. Let me know if any part needs variables in your permission sets that are then available to customize access in IAM policies. Let me know if any part needs more explanation! [2]

Sources

[1] Limit IAM Identity Center Users to defined Region | AWS re:Post repost.awsquestionsQU5wjaO6vZR7Kx7SUULYYjrwlimit-iam-identity-center-users-to-defined-region

[2] Identity-based policy examples for IAM Identity Center - AWS IAM Identity Center docs.aws.amazon.comsinglesignonlatestiam-auth-access-using-id-policies.html

profile pictureAWS
Ibrahim Cesar
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • GSC
    2 months ago

    Many thanks for the prompt reply Ibrahim. The details kindly provided are consistent with what I know, but what is missing - and the bit I am in need of knowing - is how to I assign a unique value to the variable? In IAM Identity Center I am aware that there are a number of fields under headings Primary information, Contact methods, Job-related information etc. that can be used, but if I want a variable name "abcxyz" associated with each user and that contains a unique value where/how do I declare that?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content