Proposed: Use AWS Federated IAM over AWS SSO
Date: 19 Oct 2021
The proposal in this ADR was rejected! For questions, please reach out to Cloud Posse.
- Customers overwhelmingly prefer AWS SSO. We continue to use both AWS Federated IAM with the
aws-samlcomponent and use AWS SSO with theaws-ssocomponent. However, customers typically use AWS SSO themselves and grant Cloud Posse access by AWS Federated IAM.
Status
IN PROGRESS @Jeremy Grodberg working on this one.
Context
AWS Federated IAM and AWS SSO can coexist and are not mutually exclusive.
AWS SSO
Pros
-
Native support via the AWS cli (e.g.
aws sso logincommand) -
It is nice that you can define a permission set once and deploy it to all the accounts (but we can do that with Terraform about as easily)
Cons
-
Must have a profile to log into and use a permission set
-
Cannot set IAM permissions boundary
-
Cannot attach customer-managed IAM policies
-
Cannot set
SourceIdentity -
Cannot use as a Principal in IAM policies because they are transient (a particular problem with EKS access)
-
Cannot have more than one IdP
-
In our use cases, the IdP is still a SAML app requiring a SAML connector
AWS Federated IAM with SAML
# Note that you cannot update the aws-sso component if you are logged in via aws-sso.
# Use the SuperAdmin credentials mentioned in docs/cold-start.md (as of now, stored in 1password)
aws-saml-sso:
settings:
spacelift:
workspace_enabled: false
vars:
idps:
cloudposse:
acme:
roles:
terraform-prod:
policy: ..
terraform-nonprod: ..
account_assignments:
artifacts:
grants:
- cloudposse:
- terraform-nonprod
- acme
- terraform-nonprod
- terraform-prod
dev:
direct_idp:
- cloudposse:
- terraform-nonprod
grants:
- acme
- terraform-nonprod
- terraform-prod
Pros
-
Full control over the implementation
-
No problems working with EKS and terraform
Cons
-
GSuite does not support mapping group attributes to SAML attributes (But they don't really solve it for AWS SSO either, and if you can script the GSuite API you can achieve the same effect.)
-
Our current implementation with iam-primary-roles and iam-delegated-roles is outdated and should be updated to use the interface we developed for AWS sso.
When to use AWS SSO?
AWS SSO is ideally suited for business users of AWS that interact with the AWS Web Console. It does work well with the aws CLI, but not together with EKS.
When to use AWS Federated IAM with SAML?
AWS Federated IAM is ideally suited for organizations that need to use multiple Identity Providers (IdP). It’s also better suited for managing the IAM RBAC mapping with EKS due to limitations in AWS managing the auth ConfigMap which has no AWS API. https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
Decision
DECIDED: