AWS ABAC with SSO

背景知识

上一篇讲了AWS ABAC的入门 , 这篇看看如何把ABAC的能力和SSO配合起来,完成企业用户单点登录到云上后能根据资源标签来授权

创建角色

策略方面可以沿用上一篇的access-same-product-team.

创建一个新的角色: abacRole,并把access-same-product-team授权给这个角色.并修改信任策略. 将TagSession加到Action中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::433312851566:saml-provider/springrun"
},
"Action": [
"sts:AssumeRoleWithSAML",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}

SAML协议

在saml协议中增加对应的tag

1
2
3
4
5
6
7
8
<saml2:AttributeStatement>
<saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:team">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">dev1</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="https://aws.amazon.com/SAML/Attributes/PrincipalTag:product">
<saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">app1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>

测试

单点登录到abacRole这个role的时候,有Secrets Manager中dev/app1/key的权限,但是没有dev/app2/key1的权限