Defines several well-known IAM roles and ties them to matching OKTA groups that are passed over as part of a SAML assertion.
Make sure you have an OKTA_API_TOKEN enviornment variable set with
an Okta API token.
| Name | Version | 
|---|---|
| aws | ~2.0? | 
| okta | ? | 
| Name | Description | Type | Required | 
|---|---|---|---|
| okta_app | The (friendly) name of the Okta app. In our environment either "AWS - Commercial" or "AWS - GovCloud" | string | Yes | 
| account_alias | The account alias that should be set for the AWS account. This is an AWS global value | string | yes | 
| trusted arns | Any ARNS that should be able to AssumeRole. This is mostly intended for use in "child" AWS accounts. | list(string) | no | 
| Role Name | Attached Policies | Description | 
|---|---|---|
| /user/mdr_engineer | mdr_engineer | "legacy" role. | 
| /user/mdr_engineer_readonly | ReadOnlyAccess mdr_engineer_readonly_assumerole | Read only access to AWS console with ability to escalate to Terraformer role | 
| /user/mdr_iam_admin | IAMFullAccess iam_admin_kms | "legacy" role. | 
| /user/mdr_terraformer | mdr_terraformer | Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole | 
| Policy Name | Description | 
|---|---|
| mdr_engineer | "legacy" policy. Gives effectively PowerUserAccess but with limitations on iam:PassRole and sts:AssumeRole. | 
| iam_admin_kms | "legacy" policy.  Gives several kms:*actions related to creating, destroying, and managing keys.  Encrypt and Decrypt are noticeably absent. | 
| mdr_engineer_readonly_assumerole | Read only access to AWS console with ability to escalate to Terraformer role | 
| mdr_terraformer | Full read/write access to (almost) everything. Has some limitations around PassRole and AssumeRole |