Hello,
I have a question about this article:
When creating a role on AWS, is there any way to restrict who from my Auth0 setup can log into a role by email? I tried adding SAML:mail attribute but that doesn’t seem to work. I am currently storing the mapping of roles in the user’s metadata profile.
{
"awsRole": [
"arn:aws:iam::xxxx:role/myrolename,arn:aws:iam::xxx:saml-provider/auth0SamlProvider"
]
}
where xxxx is real AWS account ids. Then I have a rule with this code:
function (user, context, callback) {
user.awsRole = user.user_metadata.awsRole;
user.awsRoleSession = user.email;
context.samlConfiguration.mappings = {
'https://aws.amazon.com/SAML/Attributes/Role': 'awsRole',
'https://aws.amazon.com/SAML/Attributes/RoleSessionName': 'awsRoleSession'
};
callback(null, user, context);
So, a role should not show up for a user unless it is specified in their user metadata ‘awsRole’ attribute. Is that enough? Or would there also be a way to limit the Trust relationship from the default in AWS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxx:saml-provider/auth0SamlProvider"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
Thanks!