Scribd
Upload
502 views

AWS and Okta Integration Guide

This document contains two IAM policy documents. The first policy allows listing all IAM roles. The second policy allows assuming a specific cross-account role in another AWS account. It also contains configuration information for using Okta to authenticate users and assume IAM roles in AWS accounts via SAML assertions.

Uploaded by

Sexy Marine
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
502 views

AWS and Okta Integration Guide

This document contains two IAM policy documents. The first policy allows listing all IAM roles. The second policy allows assuming a specific cross-account role in another AWS account. It also contains configuration information for using Okta to authenticate users and assume IAM roles in AWS accounts via SAML assertions.

Uploaded by

Sexy Marine
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

{

"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID :role/CrossAccountRoleName"
}
}

allow-assume-retail-s3-admin-role
allow-assume-sales-ec2-admin-role


https://signin.aws.amazon.com/switchrole?account=[retail_account_id]&roleName=EC2_Admins
arn:aws:iam::253541269580:role/EC2_Admins
o
o

lib out

aws-java-sdk-1.10.74.jar lib
lib awscli.command awscli.bat
aws-java-sdk
aws-java-sdk-1.10.74.jar)
out config.properties

OKTA_ORG acmecorp.okta.com

OKTA_AWS_APP_URL

AWS_IAM_KEY
AWS_IAM_SECRET

config.properties
out

./awscli.command

java -cp oktaawscli.jar:../lib/aws-java-sdk-1.10.74.jar com.okta.tools.awscli

~/.aws/credentials
~/.aws/config

671250123543/Retail-EC2-

Admins/[email protected]
sts:AssumeRole

config.properties out

671250594556/Retail-EC2-Admins/[email protected]
arn:aws:iam::253541269580:role/EC2_Admins
<saml2:Assertion>

<saml2:Subject xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-
format:unspecified">[email protected]</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2016-03-11T23:55:27.007Z"
Recipient="https://signin.aws.amazon.com/saml"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2016-03-11T23:45:27.007Z" NotOnOrAfter="2016-03-
11T23:55:27.007Z"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:AudienceRestriction>
<saml2:Audience>urn:amazon:webservices</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2016-03-11T23:50:27.007Z"
SessionIndex="id1457740227007.1664297527"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTrans
port</saml2:AuthnContextClassRef>
</saml2:AuthnContext></saml2:AuthnStatement>
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/Role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">arn:aws:iam::671250594556:saml-
provider/Okta,arn:aws:iam::671250594556:role/Sales-EC2-Admins</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">arn:aws:iam::671250594556:saml-
provider/Okta,arn:aws:iam::671250594556:role/Retail-EC2-Admins</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute
Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"
>[email protected]</saml2:AttributeValue></saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>

You might also like