Optionally for single sign-on, the  can leverage the AWS user/role mappings that are managed by a SAML authentication provider. In this authentication scenario:

Usage:

When this feature is enabled, a user's available IAM roles are automatically synched via SAML. When a user signs in to the , the user can select their default role to use. 

Pre-requisites

NOTE: When this feature is enabled and the platform is restarted, users of the cannot authenticate to AWS resources until IAM roles have been assigned to their accounts. Where possible, you should enable this feature on an unused instance of the platform.

Enable

To enable, the following configuration change must be applied.

Steps:

  1. Locate the following parameter, and set it to true:

    "feature.importAwsRoles.saml.enabled": true,
  2. Save your changes and restart the platform.

Configure

After the feature has been assigned, roles must be assigned to users. 

List of Roles

The list of available roles is passed from the SAML identity provider to the . From this list of roles, each user can select the one to apply to the account.

Per-User Assignments

Individual users must select the IAM role ARN to assume from the list exposed by .

NOTE: Before a user is permitted to complete login to the application, the user must select a role from the provided list.

For more information, see Configure Your Access to S3.

Assignment per API

You can use the platform APIs to create platform AWS roles and assign them to users. For more information, see API Workflow - Manage AWS Configurations.