我正在尝试创建 IAM 角色,Azure AD 将使用该角色来托管 sso..
我已经使用 IAM 角色创建了一个 cft,现在我希望它仅与我创建的 Saml 身份提供商关联。
{
"Resources": {
"FullAdminXME": {
"Type": "AWS::IAM::Role",
"Properties": {
"Description" : "SAML Role for Azure AD SSO",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
},
还有一种方法可以让我使用云形成来创建 saml 身份提供商。
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
身份提供商的示例 arn
arn:aws:iam::123456789012:saml-provider/MyUniversity</SAMLProviderArn>
我只想绑定(bind)到 saml 身份提供商。
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
最佳答案
我已经弄清楚了,请参阅下面的代码
"Resources": {
"FullAdminXME": {
"Type": "AWS::IAM::Role",
"Properties": {
"Description" : "SAML Role for Azure AD SSO",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement":
{
"Effect": "Allow",
"Principal": {
"Federated": { "Ref" : "SAMLID" }
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AdministratorAccess"
]
}
关于json - 在云形成中如何将可信实体与 IAM 角色的身份提供商相关联,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57896476/