2 Answers
- Newest
- Most votes
- Most comments
0
Thanks to kentrad's answer, I found a good solution to this.
First run the below while logged into the CLI with the SSO user you want to add
aws sts get-caller-identity --query Arn --output tex
This should generate an output like
arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER
Whatever gets generated, just put it into the policy like
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::123456789012:user/User1", "arn:aws:iam::123456789012:user/User2", "arn:aws:sts::123456789012:assumed-role/ROLEID:SSOUSER" ] }, "Action": "sts:AssumeRole" } ] }
That should be enough to get the SSO user to be able to assume that role.
answered a year ago
0
You can add your role ARN to the trust policy of the role you want to assume. You can find your ARN using the following CLI commands.
RoleId=$(aws sts get-caller-identity --query UserId --output text | cut -f1 -d':')
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn
Once the trust policy is updated you can issues the aws sts assume-role
command to get the access key id and secret key for the new role.
You can also something like this:
RoleId=$(aws sts get-caller-identity --query Arn --output text)
aws iam list-roles --query Roles[?RoleId==\`$RoleId\`].Arn
Relevant content
- Accepted Answerasked 3 months ago
- asked a year ago
- Accepted Answerasked 6 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 6 months ago
So, the
RoleId
that is getting fetched here is the role that was created in IAM for the Permission set created in Identity Center, right? In that case, won't all users in Identity Center having this permission set get added to the trust policy? Is it not possible to only add a user from Identity Center? Would it be possible to useFederated
or something?