Versions Compared

Old Version 14

changes.mady.by.user Marek A. Przezdziecki

Saved on

compared with

New Version 15

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

 

Excerpt

Cornell AWS account owners can create custom AWS IAM roles and have them linked to Cornell AD so that users with Cornell netids can use Shibboleth to authenticate to AWS and be granted the privileges in the custom role.

Cornell AWS account administrators already take advantage of this capability when they use Shibboleth to login to the AWS console. The IAM role named shib-admin in each Cornell AWS account typically grants full admin privileges in the form of the AWS-managed policy named "AdministratorAccess". A second standard role named "shib-cs" grants read-only access to each Cornell AWS account. This is used by the cloud support team when Cornell AWS users ask for assistance with their account.

Using CloudFormation?  

If you use or would like to try using CloudFormation to do this task, this example CloudFormation template sets up a new role (shib-dba) and assigns privileges to it. You could modify that template to customize the role name and the privileges assigned for some other type of custom role. If you take that route, you'll still need to email cloud-support@cornell.edu with the information necessary for the Cloud Team to setup the corresponding Active Directory group for Shibboleth to use.

Using Terraform?

If you use Terraform, here is an example Terraform-based definition of an IAM role to work with Cornell Shibboleth: shib-role-example.tf

You can modify it customize the role name and the privileges assigned for some other type of custom role. If you take that route, you'll still need to email cloud-support@cornell.edu with the information necessary for the Cloud Team to setup the corresponding Active Directory group for Shibboleth to use.

...