Allow External Users to Access AWS Resources

The Scenario

Your organization is already managing users at a central location like Microsoft Active Directory and you want to avoid managing the same users at AWS.

The Solution: Identity federation

What we want is to tell AWS to trust our 3rd party user management service and use credentials provided by our user management service to access AWS services and resources.

Identity Federation Types

Identity Federation can be achieved using the following:

  • Single Sign On (SSO)
  • Web Identity Federation with AWS Cognito
  • Web Identity Federation without AWS Cognito
  • SAML 2.0
  • Custom Identity Broker
  • AWS Microsoft AD

SAML 2.0

What is SAML 2.0? From the AWS docs we can read ...

"AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use."

The authentication flow looks as follows ...

AWS SAML authentication flow
  1. User requests SAML assertion from the IdP
  2. IdP authenticates user against LDAP
  3. IdP responds with a SAML assertion to user
  4. The user assumes a role with SAML using STS
  5. STS responds with temporary credentials to user
  6. User accesses AWS resources using temporary credentials

Note:
With ADFS it is pretty much the same flow where ADFS authenticates a user with AD and responds with a SAML assertion to the user

The SAML assertion can be used to access the AWS console as well using the SSO (single sign on) API and providing it with the SAML assertion

If you don't have a SAML 2.0 compatible backend you can use a custom identity broker.

Web Identity Federation

Using AssumeRoleWithWebIdentity is useful in an EKS / Kubernetes context when you want to provide your pods with certain roles i.e. permissions. Otherwise it's not recommended.

Cognito

Cognito is the AWS preferred way of letting app users access AWS resources.

The authentication flow using Cognito looks as follows:

aws cognito authentication flow
AWS Cognito authentication flow
  1. User starts using app
  2. App exchanges login credentials for an ID token
  3. App exchanges ID token for a Cognito token
  4. App exchanges Cognito token for temporary AWS credentials via SNS
  5. App has access to AWS resources

Some of the Cognito benefits are:

IAM Policy

You can identify a federated user in a IAM policy via appropriate variables such as:

  • cognito-identity.amazonaws.com:sub
  • www.amazon.com:user_id
  • graph.facebook.com:id
  • accounts.google.com:sub
{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":["s3:ListBucket"],
         "Resource":"arn:aws:s3:::some-bucket",
         "Condition": {"StringLike": {"s3:prefix": ["some/path/${accounts.google.com:sub}"]}}
      }
   ]
}
Adnan Mujkanovic

Adnan Mujkanovic

Curious by nature, I love learning and grasping new concepts. My areas of interest are software development, DevOps, Economics, Philosophy and Science.