Configure AWS roles with custom user attributes to have one AWS IAM SAML/SSO connector that services all of your AWS roles. It's an effective method for admins who have highly unique permission sets across their users. You can configure custom attributes on individual users and/or at the group level with Group Inherited User Attributes.
Prerequisites:
- An activated AWS SSO connector to configure AWS roles.Â
- Not applicable to SSO with AWS IAM Identity Center.
- You need to create federated roles in AWS and collect ARNs before you can configure AWS roles in ºÚÁϺ£½Ç91Èë¿Ú. Learn more about creating federated roles and collecting ARNs in AWS Create Federated Roles in AWS.
- You can add and modify custom attributes with the ºÚÁϺ£½Ç91Èë¿Ú PowerShell Module. .
- to learn more about configuring AWS with custom user attributes.
Creating AWS Roles with Custom User Attributes
To configure AWS roles in ºÚÁϺ£½Ç91Èë¿Ú using custom user or custom group inherited attributes:
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications, then select the AWS connector to open the connector's details panel.
- Under the SSO tab, decide on a naming convention to represent your AWS roles.
- Delete the pre-populated AWS role attribute in Constant Attributes, unless there is a role that should be available to all AWS users.
- In User Attribute Mapping, click add attribute for every role you need to create.
- Under Service Provider Attribute Name, enter https://aws.amazon.com/SAML/Attributes/Role for each user attribute.
- Under ºÚÁϺ£½Ç91Èë¿Ú Attribute Name, enter the names that represent your AWS roles.
- Click save.
- To specify a role or multiple roles for a specific user:
- Go to Users, then select an existing user or create a new user. Learn more about creating new users in Get Started: Users.
- In the Users Details panel, go to Custom Attributes, then click add new custom attributes for each of the roles relevant to this user.
- For Attribute Name, enter the name of one of your AWS roles that’s listed on the AWS connector.
- For Attribute Value, enter an ARN for the role and the ARN for the ºÚÁϺ£½Ç91Èë¿Ú identity provider separated by a comma. For example: arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:role/ROLE_NAME,arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:saml-provider/ºÚÁϺ£½Ç91Èë¿Ú.
The ARN will contain the account numbers of the roles. Multiple ARNs, across multiple accounts, can be added to any user.
- Click save user.
- To specify a role or multiple roles at the group level and have the role(s) inherited by all members of the group:
- Go to User Groups, then select an existing group or create a new user group. Learn more about creating new user groups in Get Started: User Groups.
- In the Details tab, go to Custom Attributes, then click add new custom attributes for each of the roles relevant to this user group.
- For Attribute Name, enter the name of one of your AWS roles that’s listed on the AWS connector.
- For Attribute Value, enter an ARN for the role and the ARN for the ºÚÁϺ£½Ç91Èë¿Ú identity provider separated by a comma. For example: arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:role/ROLE_NAME,arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:saml-provider/ºÚÁϺ£½Ç91Èë¿Ú.
- Click save.
The ARN will contain the account numbers of the roles. Multiple ARNs, across multiple accounts, can be added to any user.
User Experience
After the SSO connector is created and your roles are configured, make sure to authorize user access. Learn more about authorizing user access to applications here.
The above diagram example shows the following environment. When you use dynamic user attributes to create AWS roles, all authorized users have one AWS connector displayed in their user portal. When a user clicks on the AWS connector, they are directed to the AWS login page that displays the accounts and roles the user has access to. The AWS login page varies depending on what accounts and roles the user has access to.