Use Amazon Web Services Session Tags for Role-Based Access Control
With Amazon Web Services (AWS) Session Tags, you can tag resources and assign users key/value pairs, which allows you to implement role-based access control (RBAC) for AWS APIs and resources.
In the example included in this guide, we will tag our AWS resources with AWS Session Tags, then create a policy for an AWS IAM role that will allow users with this role and the appropriate tags to perform specific actions on our AWS resources. We will then create a rule in Auth0 that will attach our AWS IAM role and appropriate AWS Session Tags to an Auth0 user and pass them through SAML assertions in the token. This example builds on the example provided in Configure Amazon Web Services for Single Sign-On.
To use AWS Session Tags with AWS APIs and Resources, you must:
Tag AWS instances.
Create a specialized AWS IAM role.
Create an Auth0 rule.
Test your configuration.
Prerequisites
You'll need an Amazon Web Services (AWS) account for which you are an administrator.
Set up some AWS VM Instances. For the example in this guide, we use three separate instances.
Tag AWS instances
Add tags to your AWS resources. Follow instructions in Amazon Elastic Compute Cloud User Guide for Linux Instances: Adding and Deleting Tags on an Individual Resource.
You should have created three instances. Add the following tags:
| Instance | Tags |
|---|---|
| 1 | Key: CostCenter, Value: marketing.Key: Project, Value: website. |
| 2 | Key: CostCenter, Value: engineering.Key: Project, Value: management_dashboard. |
| 3 | Key: CostCenter, Value: marketing.Key: Project, Value: community_site. |
Create a specialized AWS IAM role
Create an IAM role using the AWS SAML identity provider you set up during the prerequisites. Follow the instructions in AWS Identity and Access Management User Guide: Creating a Role for SAML 2.0 Federation (Console).
While setting up your role, make sure you use the following parameters:
| Parameter | Description and Sample Value |
|---|---|
| SAML Provider | Name of the identity provider you created in the prerequisites, such as auth0SamlProvider. Select Allow programmatic and AWS Management Console access. |
When asked to Attach permissions policies, create a policy with the following JSON and name it VirtualMachineAccessByCostCenter.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CostCenter": "<%= "${aws:PrincipalTag/CostCenter}" %>"
}
}
}
]
}Was this helpful?
Once the policy has been created, refresh the policy list for the role, then filter and select the new policy.
When reviewing your settings, make sure you use the following parameters:
| Parameter | Description |
|---|---|
| Role name | Descriptive name for your role, such as AccessByCostCenter. |
| Role description | Description of the purpose for which your role is used. |
Create an Auth0 rule
To map the AWS role and tags to a user, you'll need to create a rule in Auth0. These values will then be passed through the SAML assertions in the token. For the example:
Replace the awsAccount variable value with your own account number.
function(user, context, callback) {
var awsAccount = '013823792818';
var rolePrefix = `arn:aws:iam::` + awsAccount;
var samlIdP = rolePrefix + `:saml-provider/auth0SamlProvider`;
user.awsRole = rolePrefix + `:role/AccessByCostCenter,` + samlIdP;
user.awsRoleSession = user.email;
user.awsTagKeys = ['CostCenter', 'Project'];
user.CostCenter = 'marketing';
user.Project = 'website';
context.samlConfiguration.mappings = {
'https://aws.amazon.com/SAML/Attributes/Role': 'awsRole',
'https://aws.amazon.com/SAML/Attributes/RoleSessionName': 'awsRoleSession',
'https://aws.amazon.com/SAML/Attributes/PrincipalTag:CostCenter': 'CostCenter',
'https://aws.amazon.com/SAML/Attributes/PrincipalTag:Project': 'Project'
};
callback(null, user, context);
}Was this helpful?
Test configuration
You should now be able to log in to the AWS Console using an Auth0 user and test your implementation.
To log in, you will need the SSO login for the AWS Console. To find it:
Go to Dashboard > Applications > Applications and select the name of the Application to view.
On the Addons tab, enable the SAML2 Web App add-on.
On the Usage tab, locate Identity Provider Login URL.
Go to the indicated URL.
Once you have signed in, from EC2, select Instances. Click one of the instances tagged with a
CostCenterofmarketing, and click Actions > Instance State > Stop. Notice that the action completes successfully.Click the instance tagged with a
CostCenterofengineering, and click Actions > Instance State > Stop. Notice that the action fails with an error.