You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

 Cornell AWS account owners can create custom AWS IAM roles and have them linked to Cornell AD so that users with Cornell netids can use Shibboleth to authenticate to AWS and be granted the privileges in the custom role.Cornell AWS account administrators already take advantage of this capability when they use Shibboleth to login to the AWS console. The IAM role named shib-admin in each Cornell AWS account typically grants full admin privileges in the form of the AWS-managed policy named "AdministratorAccess". A second standard role named "shib-cs" grants read-only access to each Cornell AWS account. This is used by the cloud support team when Cornell AWS users ask for assistance with their account.

Create a Custom Role

Follow these steps to create a new custom role in your AWS account:

  1. Login to your AWS account through the AWS Web console. The link http://signin.aws.cucloud.net will take you to your account.
  2. Now navigate to the IAM service dashboard and click on "Roles" in the left navigation. Alternatively, just clink on this link to get there: https://console.aws.amazon.com/iam/home?region=us-east-1#/roles
  3. Click on "Create New Role" button.
  4. Enter a named for the new role. The name must begin with the prefix "shib-" and contain no other hypens. E.g., "shib-example". Click "Next Step". 
  5. For the next step, select "Role for Identity Provider Access" and then click on "Select" for "Grant Web Single Sign-On (WebSSO) access to SAML providers.
  6. On the next screen, select "cornell_idp" for the value of "SAML provider" and click "Next Step".
  7. The next step shows you the JSON policy document you just created. There is no need to alter it so click on "Next Step".
  8. In the "Attach Policy" step, search for and select the existing policies you wish to assign to the new role. You can select AWS-managed policies, or custom policies that you created. You will be able to change the policies attached to the role later, so don't worry too much about getting this exactly right. You will also be able to add custom inline-policies to the role later as well. For this example, we selected the "SecurityAudit" AWS-managed policy. Click on "Next Step" when you are finished selecting policies. If you don't know exactly which policy to assign, you can skip this step and not assign any.
  9. In the next step you have a chance to confirm the configuration. Click on "Create Role".

Setup an AD Group for the New Role

The next part of the process is to create and configure the AD group connected to this role. This is done by the Cloud team.

  1. Send an email to cloud-support@cornell.edu with the following information:
    1. The name of your new role. In this example, that's "shib-example".
    2. The 12-digit account number of your AWS account.
    3. The name of the Cornell unit associated with the account (e.g. CALS).
    4. An initial list of Cornell netids you wish to be able to use this role in your account.
    5. A list of Cornell netids you wish to be able to manage the users in this newly created AD group.
  2. The Cloudification services team will create a new AD group with the name structured like CIT-<AWS account number>-role. In the above example, the cloud team would create an AD group named "CIT-095493758574-example". You will receive notification when the AD group is created. You will also receive information about how to manage the members of that group when you want to make changes.
  3. Now your new custom role is ready to use. We suggest sending an email to the people who will be using it, and have them login to the AWS Web Console using this URL: http://signin.aws.cucloud.net/. If those people have access to only one role in one AWS account, they will automatically be sent to the AWS Web Console assuming that role. If a person has access to more than one "shib" role, they will be asked which role they want to assume after they login.


 

  • No labels