how can i allow IAM user from identity center which is from Azure AD to switch role once logged in to aws account

0

Hi, So i have a use case, i have created users in my Azure AD and created application and configured SSO with Iam Identity center in AWS, users are reflecting in AWS from AZure AD which I have added to application. all seems fine as assigned users also able to login with my sso URL to AWS account

but I want to allow each user to switch role when they logged in to their AWS account

I have tried to give trust relationship as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::973225210062:saml-provider/AWSSSO_1c6cc7212ca74b8c_DO_NOT_DELETE"
            },
            "Action": "sts:AssumeRoleWithSAML",
            "Condition": {
                "StringEquals": {
                    
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                },
                "StringLike": {
                    "SAML:sub": "sam@my-cloud-app.link"
                }
            }
        }
    ]
}

but still when I am trying to login to role , I am not able to switch, can some please help me on how can I achieve this??

So, on high level, I want to make my user switch role after they logged in to aws account using identity center URL but not able to switch getting error, "Invalid information in one or more fields Check your information or contact your administrator."

I am using external identity provider as Azure AD in my IAM identity center

2 Answers
1

We do this in the GUI with the help of a google plugin called AWS Extend Switch Roles https://github.com/tilfinltd/aws-extend-switch-roles

Please use at your own risk

profile picture
EXPERT
answered 2 months ago
0

This is achievable quite simply without any fancy browser addons, and by using the standard SwitchRole functionality baked into the AWS Console as long as the Source Role & Destination role is set up correctly;

Setup:

On the Source Role (The role in the account you federate into via Identity Center), make sure the permission set the user uses to login to the account is allowed to perform STS AssumeRole on the role you want to switch to in the Destination account

On the Destination account's role you have 2 options;

  1. Set the role trust policy to trust all principals in the Source Account;

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "sts:AssumeRole" } ] }

NB: This will allow anybody in the SourceAccount with sts:AssumeRole permissions to assume into that role in the destination account.

  1. Scope down the trust policy to only trust the role which the user is logged in with. This is a bit more complicated, as you need to reference the role ARN of the source role in the trust policy. You can do this by taking the name of your permission set, for example AdministratorAccess and searching for the permission set's name in your IAM roles in the Source Account.

You should find a role that looks something like this: AWSReservedSSO_AdministratorAccess_<uniqueRandomId>

Open that role and note the ARN

Edit the above-mentioned trust policy to trust that role, for example;

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/AWSReservedSSO_AdministratorAccess_<uniqueRandomId>" }, "Action": "sts:AssumeRole" } ] }

Now your Source and Destination Role configuration is complete.

Note the name (not the role) of your role in the destination account. Login to your source account, go to the switch role option in the console like you would normally do, and then provide the destination role name, destination account ID & session name and switch the role

Done :)

Hope this helps.

AWS
Michael
answered 2 months ago
  • Ahh doesn’t look bit simple, I will try it and let you know, thanks

  • So what I understood is , in permission set I need to mention Sts:assume role ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions