I'm working on connecting our on prem AD with AWS by following this article. We have our AD Groups that are to be translated into AWS groups written in the format AWS#Account#Role#AccountNumber in AD. In ADFS, I am writing a custom claim that is to take that particular claim and convert it to the arn that requires the role and account number that is defined in teh AD Group name. I was hoping to use a RegExReplace with a match type of ((?i)([-_a-z0-9]+) which should accurately give me multiple matches back from the incoming token.
My question is, is there a way that I can use the multiple matches generated there to generate one string ("arn:aws:iam::saml-provider/ADFS,arn:aws:iam::role/")that leverages the multiple matches to generate the AWS format I need?
I dont normally work with ADFS but this is something I was tasked to figure out and any help would be greatly appreciated.
In my Roles rule (executes after the gathering of AD Groups rule), I updated my claims rule language transform to:
c:[Type=="http://temp/variable",
Value=~"(?i)(^AWS)#([-_a-z0-9]+)#([-_a-z0-9]+)#([-_a-z0-9]+)"] =>
issue(Type="https://aws.amazon.com/SAML/Attributes/Role",
Value=RegExReplace(c.Value,
"(?i)(^AWS)#(?<accountname>[-_a-z0-9]+)#(?<role>[-_a-z0-9]+)#(?<accountnumber>[-a-z0-9]+)",
"arn:aws:iam:${accountnumber}:saml-provider/ADFS,arn:aws:iam:${accountnumber}:role/${role}))
This basically says, for any AD Group that was added the to the temp variable and matches this regex, issue a claim of this type. In the RegExReplace, I assigned variable names to the grouping matches and then accessed those matches using the ${} syntax. This did the trick and now I see the list of roles in the arn format.