AWS Identity Center - temporary permission set
How does it work?
- Entitle connects to the root account of your organization.
- From the root account, Entitle retrieves and manages the SSO users, groups, and permission sets.
- From the root account, Entitle assumes the roles configured for the sub-accounts.
- In the sub-accounts, Entitle collects and manages the resources via the role.
- When permissions are granted - a new temporary permission set is created under the
entitle-<String>format, and attached to the user who requested the access. - When permissions are revoked - the temporary permission set will be deleted.
AWS setup
Setting up AWS accounts
In order for Entitle to connect and manage resource access for SSO users across different accounts in your organization, we will require a few things set up
- For SSO Control, and initial access to the organization we will need an IAM user in the root account with SSO management access.
- For each sub-account, we will need a role with management access to all the resources we want to manage from said account.
Root account - set up an IAM user
- Create an IAM User with programmatic credentials and keep the credentials for that user, they will be needed for Entitle to connect.
- Create the SSO Management Policy and the Base Permissions Management Policy policies with the contents below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetSAMLProvider",
"iam:UpdateSAMLProvider",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListUserPolicies",
"iam:ListUsers",
"identitystore:CreateGroupMembership",
"identitystore:DeleteGroupMembership",
"identitystore:DescribeGroup",
"identitystore:DescribeGroupMembership",
"identitystore:DescribeUser",
"identitystore:GetGroupId",
"identitystore:GetGroupMembershipId",
"identitystore:GetUserId",
"identitystore:IsMemberInGroups",
"identitystore:ListGroupMemberships",
"identitystore:ListGroupMembershipsForMember",
"identitystore:ListGroups",
"identitystore:ListUsers",
"organizations:ListAccounts",
"sso-directory:DescribeUsers",
"sso:AttachCustomerManagedPolicyReferenceToPermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeletePermissionSet",
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribePermissionSet",
"sso:DetachCustomerManagedPolicyReferenceFromPermissionSet",
"sso:ListAccountAssignments",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListTagsForResource",
"sso:TagResource",
"sso:UntagResource"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:AttachUserPolicy",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DetachUserPolicy",
"iam:DetachRolePolicy",
"iam:DeleteRole",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListRoles",
"iam:ListAttachedRolePolicies",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies",
"iam:ListPolicyTags",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:TagPolicy",
"organizations:ListAccounts",
"organizations:DescribeAccount",
"iam:TagRole",
"iam:UnTagRole",
"iam:TagPolicy",
"iam:UntagPolicy"
],
"Resource": "*"
}
]
}
- Assign the policies you created to Entitle's user.
Note
You can also choose a pod-based identity instead of setting up a user.
In order to connect Entitle with your AWS app, please follow the steps below:
- Create a new role.
- Save that role's ARN aside, it will be used to configure your AWS integration under the field access_role_arn, see Configuration part below.
- Assign the SSO Management Policy above to the role.
- In order to set a secured connection between your AWS instance and Entitle, you are requested to set a trust relationship with Entitle - so Entitle will assume the roles you intend to manage. Please add the trust relationship below to the role you created:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::321183744702:role/entitle-prod-ichilov@entitle" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Root account - set up permissions to assume role in sub accounts
- Decide on a role name, you will later need to create a role with that name in each sub-account you want Entitle to manage. from now on we’ll refer to it as “sub-account role name”.
- Create a policy using the Root Account Access To Sub Account Policy below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/<SUBACCOUNT_ROLES_NAME>"
}
]
}
- Fill in all the ARNs of the roles created for each of the sub-accounts in the previous section.
Root account - retrieve SSO information
- Go to IAM Identity Center → Settings → Details → ARN and keep the ARN.
This is the SSO instance ARN you will need for the configuration. - Copy and keep the region in which the SSO is set up, it will be required for the integration as well.
Sub account - creating a role (repeat for each sub-account)
The role created in this step will be the way for Entitle to access the resources in this sub-account.
Step by step:
- Create a new IAM role:
- For Trusted Entity Type choose: AWS Account.
- Click on Another Account and enter the account ID of your root account.
- The IAM role name should be identical to the name you set in the Root Account - Setup Permissions to Assume Role in Sub-Accounts step.
- Create the Base Permissions Management Policy below, it is required to allow Entitle manage permissions to the account.
-
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:PutRolePolicy", "iam:AttachUserPolicy", "iam:CreateRole", "iam:CreatePolicy", "iam:CreatePolicyVersion", "iam:DetachUserPolicy", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeletePolicy", "iam:DeletePolicyVersion", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:ListEntitiesForPolicy", "iam:ListPolicies", "iam:ListPolicyTags", "iam:ListPolicyVersions", "iam:ListRolePolicies", "iam:ListRoleTags", "iam:ListUserPolicies", "iam:ListUsers", "iam:TagPolicy", "organizations:ListAccounts", "organizations:DescribeAccount", "iam:TagRole", "iam:UnTagRole", "iam:TagPolicy", "iam:UntagPolicy" ], "Resource": "*" } ] } - Create the policies for the resources you want to manage in that account using the Resource-Specific Policies below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"iam:ListUsers",
"iam:ListUserPolicies",
"iam:ListPolicyTags",
"iam:TagPolicy",
"iam:TagUser"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicyVersion",
"s3:GetBucketTagging",
"ec2:DescribeInstances",
"iam:GetPolicy",
"ec2:DescribeTags",
"ec2:DescribeRegions",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"s3:ListBucket",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"s3:ListAllMyBuckets",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:AttachUserPolicy",
"iam:ListEntitiesForPolicy",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListEntitiesForPolicy",
"iam:AttachUserPolicy",
"iam:ListUserPolicies",
"iam:CreatePolicy",
"iam:ListUsers",
"iam:ListPolicyTags",
"iam:DetachUserPolicy",
"secretsmanager:ListSecrets",
"secretsmanager:DescribeSecret"
],
"Resource": "*"
}
]
}
- Assign these policies created in steps 2-4 to the role created in step 1.
Entitle integration setup
- Credentials - refers to the root account.
- Region - refers to the region in which the root account SSO resides.
- SSO instance arn - refers to the arn of the SSO connection.
- Sub-accounts - for each sub-account you'd like different settings than the options - fill in the details within its scope.
- tags - Optional - only resources with the listed tags will be retrieved.
{
"root_account": {
"access_key_id": "<ACCESS_KEY_ID>",
"secret_access_key": "<SECRET_ACCESS_KEY>",
"region": "<REGION>"
},
"sub_accounts": [
{
"account_id": "<SUB_ACCOUNT_ID>",
"access_role_arn": "<SUB_ACCOUNT_ROLE_ARN>",
"region": "<REGION>",
"tags": [
{
"key": "environment",
"value": "test"
}
]
}
],
"options": {
"sso_instance_arn": "<INSTANCE_ARN_OF_SSO_FEDERATION>",
"tags": [
{
"key": "environment",
"value": "test"
}
]
}
}
{
"root_account": {
"account_id": "<ROOT_ACCOUNT_ID>",
"access_role_arn": "<ROLE_ARN>",
"region": "<REGION>"
},
"options": {
"sso_instance_arn": "<YOUR_SSO_INSTANCE_ARN>",
"resource_types": [],
"tags": []
},
"sub_accounts": [
{
"account_id": "<SUB_ACCOUNT_ID>",
"access_role_arn": "<SUB_ACCOUNT_ROLE_ARN>",
"region": "<REGION>",
"tags": [
{
"key": "environment",
"value": "test"
}
]
}
]
}
Updated about 1 month ago