amazon-web-servicesamazon-iamaws-sts

Assuming roles when logged in via IAM Identity Center

I have an AWS multi account setup where I use IAM Identity Center to manage users and control access. I'm using a managed AWS role to grant view-only access. When I'm logged into one of these accounts (lets call it prod), I'd like to be able to use STS to assume a role in a different account (lets call that one shared).

To do this I need to setup an IAM role in shared that grant appropriate access and has a trust policy that allow me to do so. Initially I've started out with this (which works):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<prodAccountID>:root"
            },
            "Action": "sts:AssumeRole",
        }
    ]
}

How to I change that principal from anything coming from prod to only those logged in via the SSO and with a specific role?

As an example:

$ aws sts get-caller-identity
{
    "UserId": "<some-id>:<username>",
    "Account": "<prodAccountID>",
    "Arn": "arn:aws:sts::<prodAccountID>:assumed-role/AWSReservedSSO_view-only_9ec0318096f8cdd9/<username>"
}

I'd like anyone with the AWSReservedSSO_view-only_9ec0318096f8cdd9 role to be able to assume the role.

Solution

  • By a lot of trial and error, it turns out that the aws:PrincialARN is the ARN of the assumed role. Whether this is bullet proof is unclear to me.

    But it does allow for a trust policy like this to do what I'm looking for:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<prodAccountID>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnLike": {
                    "aws:PrincipalARN": "arn:aws:iam::<prodAccountID>:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_view-only_*"
                }
            }
        }
    ]
}

    EDIT: Upon further experimentation also discovered that it is possible to do:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<prodAccountID>:role/aws-reserved/sso.amazonaws.com/<SSO-region>/AWSReservedSSO_view-only_9ec0318096f8cdd9"
            },
            "Action": "sts:AssumeRole",
        }
    ]
}

    This comes with the limitation of the SSO managed role has to exist beforehand and you need to know the full name - not just that it's called view-only.