Tohuwabohu excorcism

User Tools

Site Tools

Trace: iam
cloud:aws:iam

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
cloud:aws:iam [2023/11/01 07:13] – removed - external edit (Unknown date) 127.0.0.1cloud:aws:iam [2023/11/01 07:13] (current) – ↷ Page moved from business_process_management:camunda:cloud:aws:iam to cloud:aws:iam skipidar
Line 1: Line 1:
 +====== IAM ======
 +
 +
 +===== how to evaluate Deny and Allow statements in one policy? =====
 +
 +
 +Here's how IAM evaluates policies containing "Deny" and "Allow" statements:
 +
 +**Default Deny**: By default, access to AWS resources is denied. If there are no policies attached to a user, group, or role, or if no policies explicitly grant access, AWS denies the action.
 +
 +**"Allow" Statements**: IAM evaluates all the "Allow" statements in the policies attached to the user, group, or role. If any "Allow" statement allows the action, the action is permitted, subject to any further restrictions from subsequent "Deny" statements.
 +
 +**"Deny" Statements**: IAM then evaluates all the "Deny" statements in the policies. If any "Deny" statement explicitly denies the action, the action is denied, regardless of any previous "Allow" statements.
 +
 +
 +
 +===== how to manage single sign on SSO across accounts? =====
 +
 +To SSO into accounts with limited permissions use
 +
 +In the "IAM Identity Center": https://console.aws.amazon.com/singlesignon/home
 +
 +As described here: https://aws.amazon.com/iam/identity-center/
 +
 +
 +This is how the management of the organization looks like.
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/rzobZTpDPq.png?550x250}}
 +
 +
 +I have striked through the entry URL which is used to SSO into the organization.
 +
 +The URL looks like 
 +<code>
 +https://myssoportal.awsapps.com/start
 +</code>
 +where you can pick the "myssoportal" freely.
 +
 +
 +=== SSO from a CMD / Shell ===
 +
 +When the setup is done \\
 +then trigger login from console \\
 +will allow you to get credentials **for the console** via SSO \\
 +or for the programmatic access
 +
 +SSO from the command line like this:
 +<code>
 +$ aws sso login --profile default
 +
 +Attempting to automatically open the SSO authorization page in your default browser.
 +If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
 +
 +https://device.sso.eu-central-1.amazonaws.com/
 +
 +Then enter the code:
 +
 +ABCD-CPZB
 +</code>
 +
 +After the login with your global user (which you manage in your IAM identity center https://aws.amazon.com/iam/identity-center/) \\
 +you will be redirected to the SSO page
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/DMWBdCy4ii.png?600x250}}
 +
 +From where you can approve the request:
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/gdnlKAhViU.png?550x250}}
 +
 +Dont forget to log out:
 +
 +<code>
 +$ aws sso logout
 +</code>
 +
 +
 +=== SSO to AWS management console ===
 +
 +To SSO into the AWS console - your also can navigate directly to \\
 +and pick one of the available role to SSO into the AWS management console.
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/DMWBdCy4ii.png?600x250}}
 +
 +
 +
 +==== Setting up SSO via "identity portal" ====
 +
 +As in https://medium.com/@pushkarjoshi0410/how-to-set-up-aws-cli-with-aws-single-sign-on-sso-acf4dd88e056
 +
 +
 +To make the terraform work - you need a profile without "sso_session = mysso"
 +
 +as stated in https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/
 +
 +
 +
 +**Leave "SSO session name" empty!!**
 +
 +<code>
 +$ aws configure sso --profile default
 +
 +SSO session name (Recommended):
 +WARNING: Configuring using legacy format (e.g. without an SSO session).
 +Consider re-running "configure sso" command and providing a session name.
 +
 +SSO start URL [None]: https://myssoportal.awsapps.com/start
 +SSO region [None]: eu-central-1
 +Attempting to automatically open the SSO authorization page in your default browser.
 +If the browser does not open or you wish to use a different device to authorize this request, open the following URL:
 +
 +https://device.sso.us-east-1.amazonaws.com/
 +
 +Then enter the code:
 +
 +XXXX-XXXX
 +
 +<select role>
 +Using the role name "HappyLegacyUser"
 +CLI default client Region [None]: <default region>
 +CLI default output format [None]: <default output>
 +
 +To use this profile, specify the profile name using --profile, as shown:
 +
 +aws s3 ls --profile default
 +
 +</code>
 +
 +
 +
 +
 +Associated
 +
 +~/.aws/config
 +
 +<code>
 +[default]
 +region = eu-central-1
 +sso_start_url = https://********.awsapps.com/start
 +sso_region = eu-central-1
 +sso_account_id = 36********63
 +output = json
 +sso_role_name = Admin-NoIAM-NoBilling
 +
 +</code>
 +
 +
 +== Provisioning the permission sets ==
 +
 +Newly defined permission sets remain in the "not provisioned" state.
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/FCrkJqPZXz.png?475x141}}
 +
 +
 +To become available anywhere - they must be explicitly assigned to an account.
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/INbUFPxaxf.png?475x141}}
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/0sSljOCYoC.png?475x141}}
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/kx8vD6eKyB.png?475x141}}
 +
 +Only then the permission sets become "provisioned"
 +
 +{{https://s3.eu-central-1.amazonaws.com/alf-digital-wiki-pics/sharex/d8Eub00GLN.png?475x141}}