skip to Main Content

I am trying to allow a user to assume a role on AWS. I attached an assume role policy to a group where the IAM user belongs so that they can assume a particular role. The problem is that the user now uses SSO to login and and is no longer allowed to login into through console with the IAM user credentials, therefore the user is unable to assume the role. How can I configure a user with SSO login to assume an existing IAM role? When i created the Assume role policy I chose both AssumeRole and AssumeRoleWithSaml. But it’s still not working.

This is what the AssumeRole policy looks like

"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole",
            "sts:AssumeRoleWithSAML"
        ],
        "Resource": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/KinesisFirehoseServiceRole--us-east-1-xxxxxxxxxxxxx"
    }
]

The Trust relationship for the role looks like this

"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "firehose.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
]

3

Answers


  1. Chosen as BEST ANSWER

    Thanks to everyone that responded. I was able to complete the task using this instructions. google saml sso with AWS


  2. You need to specifically allow that user / role to be able to assume that role. Right now, the Principal is set to only allow the "firehose service" to assume that role.

    The 2nd problem is that you need to specifically allow a SSO account to be able to access it. You’ll need to get the ARN of your current SSO user session. To get this you should run aws sts get-caller-identity

    You should get something like this

    {
        "UserId": "BROA5DAM2TACHAA38V9J1:[email protected]",
        "Account": "1234567890",
        "Arn": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
    }
    

    Or a 1 liner aws sts get-caller-identity --output text --query Arn

    Then take that value and add it to your policy as an additional policy statement.

    {
        "Version": "2012-10-17",
        "Statement":
        [
            {
                "Effect": "Allow",
                "Principal":
                {
                    "Service": "firehose.amazonaws.com"
                },
                "Action": "sts:AssumeRole"
            },
            {
                "Effect": "Allow",
                "Principal":
                {
                    "AWS": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
                },
                "Action": "sts:AssumeRole"
            },
        ]
    }
    

    And now you can use:

    aws sts assume-role --role-arn=arn:aws:iam::123456823432:role/NameOfYourRole --role-session-name=role-session-name

    Login or Signup to reply.
  3. I managed to enable SSO users to assume a role in the account they were authenticated to by using the following. Note that you’ll need to replace ${ACCOUNT_ID}, ${SSO_ROLE_NAME}, and ${ASSUMABLE_ROLE_NAME}. You may, of course, need to repackage the bits.

    aws iam create-role --role-name ${ASSUMABLE_ROLE_NAME} --assume-role-policy-document file://policy.json --profile $PROFILE
    

    policy.json:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::${ACCOUNT_ID}:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "ArnLike": {
                "aws:PrincipalArn": [
                    "arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_${SSO_ROLE_NAME}_*",
                    "arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_${SSO_ROLE_NAME}_*"
                ]
            }
          }
        }
      ]
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search