'Use custom Azure AD-Attributes for Tag-based ABAC via AWS SSO
I am currently trying to set up a fine grained permission system for our infrastructure. We run each development stage in a different AWS account. Each stage therefore has different secrets that are used.
I now want to add a permission set to our SSO setup that allows GetSecretValue for secrets in the account if the user has the tag for the stage, e.g. user has the tag "develop = true", then the user can access the secret in our develop account, which also has the tag "develop = true".
To give the user the related tag, we want to use SAML assertions. We can not use existing default tags (e.g. Department), since aws resource tags do not support proper evaluation of multiple values (e.g. a tag on the secret like "Stage"="develop,test" allowing develop and test users access).
I can however not get the SAML assertions for custom attributes to show up in the AWS SSO user, no matter what I do. We set the attribute as
https://aws.amazon.com/SAML/Attributes/AccessControl:secret_test
. This works if I use "Department" instead of "secret_test" (I assume because Department is one of the SCIM defauilt attributes), but not for my custom attribute "secret_test".
Hence my questions are:
- Is it even possible for AWS SSO ABAC to "see" and evaluate attributes created as SAML Assertions in Azure AD, if they are not default attributes?
- Alternatively, is there a way to write a policy to evaluate for a part of the string instead of a full match? i tried filling "Department" with "develop/test" and then setting up a condition on the permission set like
"Condition": {
"StringLike": {
"aws:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
but that doesn't allow access for the user.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|