I have been following this tutorial. I did successfully login with rule as
function(user, context, callback) {
var awsAccount = ‘myAccount’;
var rolePrefix =arn:aws:iam::
+ awsAccount;
var samlIdP = rolePrefix +:saml-provider/auth0SamlProvider
;user.awsRole = rolePrefix +
:role/AccessByCostCenter,
+ samlIdP;
user.awsRoleSession = user.email;context.samlConfiguration.mappings = {
‘https://aws.amazon.com/SAML/Attributes/Role’: ‘awsRole’,
‘https://aws.amazon.com/SAML/Attributes/RoleSessionName’: ‘awsRoleSession’
};callback(null, user, context);
}
but once I update it to
function(user, context, callback) {
var awsAccount = ‘myAccount’;
var rolePrefix =arn:aws:iam::
+ awsAccount;
var samlIdP = rolePrefix +:saml-provider/auth0SamlProvider
;user.awsRole = rolePrefix +
:role/AccessByCostCenter,
+ samlIdP;
user.awsRoleSession = user.email;
user.awsTagKeys = [‘CostCenter’,‘MyUserId’];
user.CostCenter = ‘client’;
user.MyUserId = user.email;context.samlConfiguration.mappings = {
‘https://aws.amazon.com/SAML/Attributes/Role’: ‘awsRole’,
‘https://aws.amazon.com/SAML/Attributes/RoleSessionName’: ‘awsRoleSession’,
‘https://aws.amazon.com/SAML/Attributes/PrincipalTag:CostCenter’: ‘CostCenter’,
‘https://aws.amazon.com/SAML/Attributes/PrincipalTag:MyUserId’: ‘MyUserId’,
};callback(null, user, context);
}
The login process fail with error code 403
Please let me if I need to do any cross-check on the setup.
My actual target is to allow users to only have access to resources tag with their email/user_id.