# okta saml roles module
Defines several well-known IAM roles and ties them to matching
OKTA groups that are passed over as part of a SAML assertion.
Make sure you have an `OKTA_API_TOKEN` enviornment variable set with
an Okta API token.
## Providers
| Name | Version |
|------|---------|
| aws  | ~2.0?   |
| okta | ?       |
## Inputs
| Name | Description | Type | Required |
|------|-------------|------|----------|
| okta_app | The (friendly) name of the Okta app.  In our environment either "AWS - Commercial" or "AWS - GovCloud" | `string` | Yes |
| account_alias | The account alias that should be set for the AWS account.  This is an AWS global value | `string` | yes |
| trusted arns | Any ARNS that should be able to AssumeRole. This is mostly intended for use in "child" AWS accounts. | `list(string)` | no |
## Roles created
| Role Name         | Attached Policies | Description |
|--------------------|-------------------|-------------|
| /user/mdr\_engineer | mdr\_engineer      | "legacy" role. 
| /user/mdr\_engineer\_readonly | ReadOnlyAccess 
 mdr\_engineer\_readonly\_assumerole | Read only access to AWS console with ability to escalate to Terraformer role
| /user/mdr\_iam\_admin | IAMFullAccess 
 iam\_admin\_kms | "legacy" role.  
| /user/mdr\_terraformer| mdr\_terraformer | Full read/write access to (almost) everything.  Has some limitations around PassRole and AssumeRole
## Policies created
| Policy Name        | Description |
|--------------------|-------------|
| mdr\_engineer      | "legacy" policy.  Gives effectively PowerUserAccess but with limitations on iam:PassRole and sts:AssumeRole.
| iam\_admin\_kms    | "legacy" policy.  Gives several `kms:*` actions related to creating, destroying, and managing keys.  Encrypt and Decrypt are noticeably absent.
| mdr\_engineer\_readonly\_assumerole | Read only access to AWS console with ability to escalate to Terraformer role
| mdr\_terraformer | Full read/write access to (almost) everything.  Has some limitations around PassRole and AssumeRole