...
You can create custom IAM roles that integrate with the Cornell Shibboleth so that access to those roles is granted according membership in an AD group. See Creating Custom Roles to use With Shibboleth.
Can I use a Holiding ID, Guest ID, or DOC (delegation of control) account
...
to login to AWS?
No. Our Shibboleth implementation does not work with DOC accounts, Holding IDs, or Holding Guest IDs. (More info about various Cornell account types: https://it.cornell.edu/cornellad/terms-and-conditions-cornellad)
Can a user with only a Guest ID login to AWS via Shibboleth and the signin.aws.cornell.edu login page?
No. and Cornell's Shibboleth implementation does not support Guest IDs and thus users with Guest IDs cannot use the AWS-Cornell Shibboleth integration to authenticate to AWS. Please Implementation. Please contact cloud-support@cornell.edu to discuss other options.
...