Configuring IAM Roles in AWS

Britive needs the following access permissions in the AWS IAM role to connect to AWS successfully: 

• IAM ReadOnly Access
• AWSOrganization ReadOnly Access

Creating an IAM Role in AWS

Perform the following steps to create an IAM role in an AWS account: 

1. Log in to the AWS console with administrator privileges. 
2. Open the IAM console. 
3. Select IAM > Access management -> Roles.
4. Click Create role. 
5. Enter the following in the Create role page:
   1. Select SAML 2.0 federation.
   2. Select the identity provider in the SAML 2.0-based provider, added as explained in the section Configuring Britive Identity Provider in AWS.
   3. Select Allow programmatic access only.
   4. Enter the following for the Attribute and Value fields: 
      • Attribute : SAML:aud. 
      • Value: https://signin.aws.amazon.com/saml
   5. Click Next.
   6. Enter the following on the Add Permissions page:
      1. Search for IAMReadOnlyAccess in Filter policies.
      2. Select IAMReadOnlyAccess.
      3. Search for AWSOrganizationsReadOnlyAccess in Filter policies.
      4. Select AWSOrganizationsReadOnlyAcces. 
      5. Click Next.
   7. For session invalidation (optional), see Configuring Session Invalidation.
   8. (Optional) For Britive-managed roles support: If an application needs to support the creation of Britive-managed roles through Access Builder, each Integration Role in the AWS environment must be updated to allow the following:
      Inline policyInline policy

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": [
                      "iam:DetachRolePolicy",
                      "iam:UntagRole",
                      "iam:DeleteRolePolicy",
                      "iam:TagRole",
                      "iam:CreateRole",
                      "iam:DeleteRole",
                      "iam:AttachRolePolicy",
                      "iam:UpdateRole",
                      "iam:PutRolePolicy"
                  ],
                  "Resource": "arn:aws:iam::<account_id>:role/britive/managed/*"
              }
          ]
      }
      
      

   9. Enter the following values in the Name, Review and create page:
      1. Enter a Role name (64 characters limit) that can include alphanumeric characters and special characters such as @ or *.
      2. Enter a Role description (optional).
      3. Add the following actions in the trust relationship as shown in the example below:
         Trust RelationshipTrust Relationship

         {
            "Version":"2012-10-17",
            "Statement":[
               {
                  "Effect":"Allow",
                  "Principal":{
                     "Federated":"arn:aws:iam::<account>:saml-provider/Britive"
                  },
                  "Action":[
                     "sts : AssumeRolewithSAML",
                     "sts : SetSourceIdentity"
                  ],
                  "Condition":{
                     "StringEquals":{
                        "SAML: aud":"https://signin.aws.amazon.com/saml"
                     }
                  }
               }
            ]
         }

         
         
      4. Click Create role. A message is displayed that the role is created.
6. You can select the newly created IAM role from the role list for the AWS account and view the role details on the Summary page. Note that the maximum session duration value displayed on the summary page is used when configuring the role properties within the Britive tenant.

Now that you have completed the onboarding prerequisites, you can choose to onboard AWS applications or AWS standalone applications per your requirement, and proceed with the onboarding process. 

For more information about creating a role in AWS, see Creating a role for SAML 2.0 federation.

See also:

• Onboarding an AWS Application
• Onboarding an AWS Standalone Application