Search code examples
amazon-iamsamlrolesgoogle-workspace

Targetting federated SAML users in IAM role policies

We're currently using G Suite as an IDP for our AWS SAML access that assumes a role within a handful account to give our G Suite users access to certain AWS resources. Each account has a similarly named role that the G Suite user can assume to give them access to certain resources in that account which is all working as expected.

I'm looking into whether I can configure that assumed role to give more fine-grained access to certain users for certain resources, without having to assign completely different roles to different users within G Suite itself.

For example, if the role assumed within the account is called "assumed_gsuite_ro" and doesn't give access to IAM, you get errors in the IAM console as such:

User: arn:aws:sts::0012345678900:assumed-role/assumed_gsuite_ro/matt@domain.com is not authorized to perform: iam:GetAccountSummary on resource: *

So I'd like to add something as such to the assumed_gsuite_ro role policy to give just my federated user access to that in IAM:

...
{
    "Sid": "IAMTest",
    "Effect": "Allow",
    "Action": [
        "iam:GetAccountSummary",
        "iam:ListAccountAliases"
    ],
    "Resource": "*",
    "Condition": {
        "ArnEquals": {
            "aws:SourceArn": "arn:aws:sts::0012345678900:assumed-role/assumed_gsuite_ro/matt@domain.com"
        }
    }
}
...

However, this doesn't work as apparently the SourceArn doesn't match. Is there a value of the condition I can use that will allow me to target the specific federated user that AWS seems to know about? I was thinking something like aws:userid or aws:username might work, but I'm not sure what the values of those would be in this case.

Solution

  • Having delved a bit deeper and found this page in the AWS documentation which describes how the values of aws:userid is made up in a SAML/federated context, I've determined the following works:

    "Condition": {
    "StringLike": {
        "aws:userid": "AROAROLEID:matt@domain.com"
    }
}

    Where AROAROLEID is the value of the "role ID" for the name of the role you're assuming (assumed_gsuite_ro in my example) which according to this page you can only get from a get-role call to the AWS CLI (it's the value of RoleId).