okta saml roles module
Defines several well-known IAM roles and ties them to matching
OKTA groups that are passed over as part of a SAML assertion.
Make sure you have an OKTA_API_TOKEN enviornment variable set with
an Okta API token.
Providers
| Name |
Version |
| aws |
~2.0? |
| okta |
? |
Inputs
| Name |
Description |
Type |
Required |
| okta_app |
The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" |
string |
Yes |
| account_alias |
The account alias that should be set for the AWS account. This is an AWS global value |
string |
yes |
| trusted arns |
Any ARNS that should be able to AssumeRole. This is mostly intended for use in "child" AWS accounts. |
list(string) |
no |
Roles created
| Role Name |
Attached Policies |
Description |
| /user/mdr_engineer |
mdr_engineer |
"legacy" role. |
| /user/mdr_engineer_readonly |
ReadOnlyAccess
mdr_engineer_readonly_assumerole |
Read only access to AWS console with ability to escalate to Terraformer role |
| /user/mdr_iam_admin |
IAMFullAccess
iam_admin_kms |
"legacy" role. |
| /user/mdr_terraformer |
mdr_terraformer |
Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole |
Policies created
| Policy Name |
Description |
| mdr_engineer |
"legacy" policy. Gives effectively PowerUserAccess but with limitations on iam:PassRole and sts:AssumeRole. |
| iam_admin_kms |
"legacy" policy. Gives several kms:* actions related to creating, destroying, and managing keys. Encrypt and Decrypt are noticeably absent. |
| mdr_engineer_readonly_assumerole |
Read only access to AWS console with ability to escalate to Terraformer role |
| mdr_terraformer |
Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole |
Fred Damstra
5c4a96a001
Initial Commit