IAM upgrades: SSO Permission Sets as Teams, SourceIdentity support, region independence
What
- Enable SSO Permission Sets to function as teams
- Allow SAML sign on via any regional endpoint, not only us-east-1
- Allow use of AWS "Source Identity" for SAML and SSO users (not enabled for OIDC)
Why
- Reduce the friction between SSO permission sets and SAML roles by allowing people to use either interchangeably.
(Almost. SSO permission sets do not yet have the same permissions as SAML roles in the
identityaccount itself.) - Enable continued access in the event of a regional outage in us-east-1 as happened recently
- Enable auditing of who is using assumed roles
References
- Monitor and control actions taken with assumed roles
- How to integrate AWS STS SourceIdentity with your identity provider
- AWS Sign-In endpoints
- Available keys for SAML-based AWS STS federation
Upgrade notes
The regional endpoints and Source Identity support are non-controversial and cannot be disabled. They do, however,
require running terraform apply against aws-saml, aws-teams, and aws-team-roles in all accounts.
AWS SSO updates
To enable SSO Permission Sets to function as teams, you need to update account-map and aws-sso, then apply changes
to
tfstate-backendaws-teamsaws-team-rolesaws-sso
This is all enabled by default. If you do not want it, you only need to update account-map, and add
account-map/modules/roles-to-principles/variables_override.tf in which you set
overridable_team_permission_sets_enabled to default to false
Under the old iam-primary-roles component, corresponding permission sets were named Identity<role>RoleAccess. Under
the current aws-teams component, they are named Identity<role>TeamAccess. The current account-map defaults to the
latter convention. To use the earlier convention, add account-map/modules/roles-to-principles/variables_override.tf in
which you set overridable_team_permission_set_name_pattern to default to "Identity%sRoleAccess"
There is a chance the resulting trust policies will be too big, especially for tfstate-backend. If you get an error
like
Cannot exceed quota for ACLSizePerRole: 2048
You need to request a quota increase (Quota Code L-C07B4B0D), which will be automatically granted, usually in about 5 minutes. The max quota is 4096, but we recommend increasing it to 3072 first, so you retain some breathing room for the future.