README.md 2.0 KB
okta saml roles module
Defines several well-known IAM roles and ties them to matching OKTA groups that are passed over as part of a SAML assertion.
Make sure you have an OKTA_API_TOKEN enviornment variable set with
an Okta API token.
Providers
| Name | Version |
|---|---|
| aws | ~2.0? |
| okta | ? |
Inputs
| Name | Description | Type | Required |
|---|---|---|---|
| okta_app | The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" | string |
Yes |
| account_alias | The account alias that should be set for the AWS account. This is an AWS global value | string |
yes |
| trusted arns | Any ARNS that should be able to AssumeRole. This is mostly intended for use in "child" AWS accounts. | list(string) |
no |
Roles created
| Role Name | Attached Policies | Description |
|---|---|---|
| /user/mdr_engineer | mdr_engineer | "legacy" role. |
| /user/mdr_engineer_readonly | ReadOnlyAccess mdr_engineer_readonly_assumerole |
Read only access to AWS console with ability to escalate to Terraformer role |
| /user/mdr_iam_admin | IAMFullAccess iam_admin_kms |
"legacy" role. |
| /user/mdr_terraformer | mdr_terraformer | Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole |
Policies created
| Policy Name | Description |
|---|---|
| mdr_engineer | "legacy" policy. Gives effectively PowerUserAccess but with limitations on iam:PassRole and sts:AssumeRole. |
| iam_admin_kms | "legacy" policy. Gives several kms:* actions related to creating, destroying, and managing keys. Encrypt and Decrypt are noticeably absent. |
| mdr_engineer_readonly_assumerole | Read only access to AWS console with ability to escalate to Terraformer role |
| mdr_terraformer | Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole |