-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaws.txt
More file actions
77 lines (55 loc) · 2.84 KB
/
aws.txt
File metadata and controls
77 lines (55 loc) · 2.84 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
AWS module
==========
The AWS module provides integration with AWS IAM by deriving the necessary
AWS-defined attributes from existing ones.
`aws:SetAWSAttributes`
----------------------
This module adds the AWS-defined attributes specifying a login name and one
or more IAM roles. It accepts the following configuration options:
20 => array(
'class' => 'aws:SetAWSAttributes',
/* Name of existing attribute to copy as AWS RoleSessionName */
'attribute.uid' => 'uid',
/* Name of existing attribute(s) that contain the names of roles */
'attribute.role' => 'groups',
/* Id number of the AWS account being linked - must be specified */
'aws.account' => '939655020730',
/* Name of the matching SAML provider defined in IAM - must be specified */
'iam.provider' => 'IAMProvider',
/* How long in seconds the AWS login session may last - default 1 hour */
'session.duration' => 3600,
/*
* Map of AWS role name => array of local matching values.
* The IAM role will be granted if some value in a `attribute.role`
* attribute matches one of the values listed here. Roles
* are evaluated in order (important if `match.all` is left false).
* There are no default mappings.
*/
'iam.roles' => array(
'IAMUser' => array('users'),
'IAMAdmin' => array('sudo', 'wheel'),
),
/*
* Whether to match every IAM role that can.
* By default, matching will stop on the first
* granted role. Set true to enable choosing
* from a list of all granted roles during login.
*/
'match.all' => false,
),
All values needed to ascertain role memberships are expected to be already set
when this filter runs. If for example loading user data from ldap, IAM roles
could be mapped based on `objectClass`, group memberships exposed via `memberOf`,
or additional attributes populated by a separate ldap filter performing an extra
ldap search.
After this filter runs, three new SAML assertions will be added to the request:
- `https://aws.amazon.com/SAML/Attributes/RoleSessionName`
Contains a single value, the name by which the login session will be identified
- `https://aws.amazon.com/SAML/Attributes/SessionDuration`
Contains a single value, the duration in seconds after which the login session
will expire
- `https://aws.amazon.com/SAML/Attributes/Role`
Contains one or more values identifying a pairing of IAM role with IAM provider,
in the format
`arn:aws:iam::<aws-account-id>:role/<iam-role-name>,arn:aws:iam::<aws-account-id>:saml-provider/<iam-provider-name>`.
If multiple values are provided, users will be offered a choice of role during login.