# okta saml roles module
Defines several well-known IAM roles and ties them to matching
OKTA groups that are passed over as part of a SAML assertion.
Make sure you have an `OKTA_API_TOKEN` enviornment variable set with
an Okta API token.
## Providers
| Name | Version |
|------|---------|
| aws | ~2.0? |
| okta | ? |
## Inputs
| Name | Description | Type | Required |
|------|-------------|------|----------|
| okta_app | The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" | `string` | Yes |
| account_alias | The account alias that should be set for the AWS account. This is an AWS global value | `string` | yes |
| trusted arns | Any ARNS that should be able to AssumeRole. This is mostly intended for use in "child" AWS accounts. | `list(string)` | no |
## Roles created
| Role Name | Attached Policies | Description |
|--------------------|-------------------|-------------|
| /user/mdr\_engineer | mdr\_engineer | "legacy" role.
| /user/mdr\_engineer\_readonly | ReadOnlyAccess
mdr\_engineer\_readonly\_assumerole | Read only access to AWS console with ability to escalate to Terraformer role
| /user/mdr\_iam\_admin | IAMFullAccess
iam\_admin\_kms | "legacy" role.
| /user/mdr\_terraformer| mdr\_terraformer | Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole
## Policies created
| Policy Name | Description |
|--------------------|-------------|
| mdr\_engineer | "legacy" policy. Gives effectively PowerUserAccess but with limitations on iam:PassRole and sts:AssumeRole.
| iam\_admin\_kms | "legacy" policy. Gives several `kms:*` actions related to creating, destroying, and managing keys. Encrypt and Decrypt are noticeably absent.
| mdr\_engineer\_readonly\_assumerole | Read only access to AWS console with ability to escalate to Terraformer role
| mdr\_terraformer | Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole