How to create IAM roles with AIS permission boundary for system accounts?
Can a system account assume multiple such IAM roles in 1 AWS Account?
If an IAM role is created in account 1 but shared with account 2. A trusted principal. Can such a role be assumed by a bot in account 2?
Can a system account assume multiple such IAM roles in 1 AWS Account?
A:) System account to be granted SCP custom_role and in the assume role trust-relationship add the system account Masscot ID to achieve.
If an IAM role is created in account 1 but shared with account 2. A trusted principal. Can such a role be assumed by a bot in account 2?
A:)Yes can be achieived through granting role switch from account 1 to account 2.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
Related
I want to modify aws-auth.yaml and add one Kubernetes user under mapRole section. I wonder if I can attach multiple EKS user to the same IAM role for authentication. Will that work ?
I want to restrict access to an AWS S3 bucket so that new objects can only be created by users who have authenticated through a specific Cognito User Pool. Looking through the AWS documentation I can't work out how to specify the user pool as a principal in the policy. Can anyone help me with this?
If this isn't possible then I'd appreciate some pointers/guidance which might help me achieve the desired result using some other technique. Thanks.
I think a User Pool will not allow you to do this, seen as you only get an access token for an authenticated entity. You'll probably need to create an identity pool, which allows users in your user pool to retrieve temporary IAM credentials. In the identity pool, you can also configure the role these logged in users get with their temporary credentials. You can use these roles to restrict access to the S3 bucket to only those authenticated users.
In the example below, you can see the settings of an identity pool configured with a Cognito user pool as authentication provider. It will either use the default roles configured on top (big red rectangle) or you can choose a custom role for the Cognito authentication provider (small rectangle). All roles can be managed using IAM.
I am working on ADFS services for SSO project and was curious to know if we can make adfs to also check roles for authentication not just username and password.
So it will be like for authentication check username password and roles and if user belong to a particular role, he should be authenticated else not.
And I am not sure about it because it should fall under authorization instead of authentication but curious to know if it can be achieved.
I am using OpenIdConnect Protocol and LDAP for user information storage.
Edit 1:
Here an scenario for the problem:
site A(only Admin role user can access):
user provides UserName/Password and user do not belong to admin role(authentication failed and login failed to application).
Site B (Any User can access) :
user provides UserName/Password and user do not belong to admin role(authenticated and logged in to application).
Yes - you can configure ADFS for claims rules and for access policy.
So you can say e.g. that only members with role x can access the application. Or that members with role y can't.
We currently have an account with our company that we use to collect some information from the GA account of our customers.
This account is an #ourdomain account.
We intend to automate these queries by performing them via the GA API.
When creating an authentication key, an account is automatically created # query-domain-domains.iam.gserviceaccount.com.
I ask, is it possible to create an authentication key (JSON) for the account that is already readable in our client accounts, or will we have to ask the more than 1000 domains to add permission to our new user?
Thank you for any help.
Eduardo
To give permissions to a new user account you have to have permissions in the first place, so you cannot create a new service account that already has them.
However if your already have a user account with user management permissions you can use that to insert the service account programmatically via the Management API.
I can't see how to authenticate a user using the AWS backend instead of a developer as shown here: http://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
I want to login to the user accounts I created in my user pools in the Cognito dashboard. Anyone know how to log into a specific user identity in the Unity SDK?
The link you provided is for developer authenticated identities on Federate Identities which is different than the user accounts you have created in the User Pools.
In User Pools console you can go to the Users tab and see the user data. If you have created the users, you can use the credentials you set at creation to login to the user account.