- 最新
- 投票最多
- 评论最多
You cannot customize the name of roles still assumed by SSO, but the permissions of that role are all defined by your mappings in AWS SSO to the IAM policies defined for that group. With those SSO group to role mappings this would allow you to set granular access. Have you taken a look at this: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html
I have a need similar to what the requestor is asking for... Basically we want permission set to have capability to ONLY-ASSUME a limited set of roles. And then the user's real access is based on these ROLES. The main advantage of this is that you cannot add PermissionSet to an S3 Bucket Policy (AWS will delete/remake permission set roles randomly), but you can do this to regular role.
So, if we agree that PermissionSet roles should really just be "assume-only", then we would like AWS-SSO to automatically assume one or more roles after the user login -- maybe by setting the relay state or something in the AWS-SSO URL.
This is not possible today.
相关内容
AWS 官方已更新 1 年前
