Search code examples
amazon-web-servicesamazon-iam

Connection between SSO Permission Set and IAM Role

I have a few SSO permission sets defined for the users in my system. These are connected to IAM roles where it's defined which policies are attached to each role.

Is it possible to see the connection between an SSO permission set and the connected role? If so where? Can this information be accessed via AWS CLI?

From AWS documentation:

Permission sets are stored in AWS SSO and are only used for AWS accounts. They are not used to manage access to cloud applications. Permission sets ultimately get created as IAM roles in a given AWS account, with trust policies that allow users to assume the role through AWS SSO.

If I understand correctly: when an SSO permission set is created, this permission set generates an IAM role automatically. When the permission set is updated, it also updates the connected IAM role. The name of the role matches the name of the SSO permission set with "AWSReservedSSO_" in front of the role name.

Is it possible to see which permission set is responsible for which role or is the name the only clue to this connection?

Solution

  • Maybe AWS will add expand this capability for tagging aws permissions sets and propagating them to the provisioned roles in the destination accounts but as of now, it is not supported.

    Tagging AWS Single Sign-On resources

    Currently, tags can only be applied to permission sets and cannot be applied to corresponding roles that AWS SSO creates in AWS accounts

    There are two other ways I can think right now, one I use myself(roles descriptions)

    1. I assume most of the time we endup adding a canned policy for permissions set like arn:aws:iam::aws:policy/job-function/NetworkAdministrator etc.

    We can do describe permissions on the role in question and this will give us the more confidence for the permissions set to sso role

    $ aws iam list-attached-role-policies --role-name AWSReservedSSO_NetworkAdminAccess_abcdec
{
 "AttachedPolicies": [
   {
    "PolicyName": "AmazonVPCCrossAccountNetworkInterfaceOperations",
    "PolicyArn": "arn:aws:iam::aws:policy/AmazonVPCCrossAccountNetworkInterfaceOperations"
        },
        {
            "PolicyName": "NetworkAdministrator",
            "PolicyArn": "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
        }
    ]
}
    1. option we can consider, when we don't use the canned policy like above, we created our own iam policy and attached to the permissions set. In that case we have Description field available for us and we can have the necessary information in there. For example:
    $ aws iam get-role --role-name AWSReservedSSO_ViewOnlyAccess_Support_bacdefasdasd
{
    "Role": {
        "Path": "/aws-reserved/sso.amazonaws.com/eu-central-1/",
        "RoleName": "AWSReservedSSO_ViewOnlyAccess_Support_fsdfsdfds",
        "RoleId": "dhjdhdhddadasd",
        "Arn": "sso role arn",
        "AssumeRolePolicyDocument": {}
        "Description": "ViewOnlyAccess + allowed to create support tickets",
        "RoleLastUsed": {}
    }
}