Issue on "Use Amazon Web Services Session Tags for Role-Based Access Control"

oken · August 2, 2021, 6:48pm

I have been following this tutorial. I did successfully login with rule as

function(user, context, callback) {
var awsAccount = ‘myAccount’;
var rolePrefix = arn:aws:iam:: + awsAccount;
var samlIdP = rolePrefix + :saml-provider/auth0SamlProvider;

user.awsRole = rolePrefix + :role/AccessByCostCenter, + samlIdP;
user.awsRoleSession = user.email;

context.samlConfiguration.mappings = {
‘https://aws.amazon.com/SAML/Attributes/Role’: ‘awsRole’,
‘https://aws.amazon.com/SAML/Attributes/RoleSessionName’: ‘awsRoleSession’
};

callback(null, user, context);
}

but once I update it to

function(user, context, callback) {
var awsAccount = ‘myAccount’;
var rolePrefix = arn:aws:iam:: + awsAccount;
var samlIdP = rolePrefix + :saml-provider/auth0SamlProvider;

user.awsRole = rolePrefix + :role/AccessByCostCenter, + samlIdP;
user.awsRoleSession = user.email;
user.awsTagKeys = [‘CostCenter’,‘MyUserId’];
user.CostCenter = ‘client’;
user.MyUserId = user.email;

context.samlConfiguration.mappings = {
‘https://aws.amazon.com/SAML/Attributes/Role’: ‘awsRole’,
‘https://aws.amazon.com/SAML/Attributes/RoleSessionName’: ‘awsRoleSession’,
‘https://aws.amazon.com/SAML/Attributes/PrincipalTag:CostCenter’: ‘CostCenter’,
‘https://aws.amazon.com/SAML/Attributes/PrincipalTag:MyUserId’: ‘MyUserId’,
};

callback(null, user, context);
}

The login process fail with error code 403

Please let me if I need to do any cross-check on the setup.

My actual target is to allow users to only have access to resources tag with their email/user_id.

brandongodwin · November 9, 2023, 8:17pm

Hopefully you eventually got this figured out. For anyone else stumbling across this thread, you have to add the sts:TagSession action to the trust policy to allow the IdP to add tags to the session. Without that, you’ll get the 403 error when trying to assume the role with the SAML token.