Add an IAM role
Add your AWS IAM roles to Opal to allow your developers to request temporary access.
This guide assumes you've already configured your AWS organization in Opal.
Add a role
Use the following steps to connect an IAM role to Opal.
Trust policy
You must use the following trust policy for your role, substituting as follows:
${ACCOUNT_ID}
: The account ID of the account being configured.${IDP_ISSUER_URL}
: The Identity Provider's issuer URL${OPAL_CLIENT_ID}
: The Client ID assigned to Opal via your IdP.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${IDP_ISSUER_URL}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${IDP_ISSUER_URL}:aud": "${OPAL_CLIENT_ID}"
}
}
}
]
}
Create a role
Here is an example invocation for creating a role with the above trust policy file:
aws iam create-role \
--role-name MyRoleWithPoliciesToBeManagedByOpal \
--assume-role-policy-document file://trust_policy.json \
--tags Key=opal,Value="" \
--description "My role containing policies to be managed by Opal"
Attach policies to a role
Next, attach all the policies you want to show up in Opal under this role. You can do this in the AWS Console:
![Screen Shot 2020-12-03 at 3.19.33 PM.png 1768](https://files.readme.io/24f44d3-Screen_Shot_2020-12-03_at_3.19.33_PM.png)
Attaching policies to an Opal role.
Terraform
If you use Terraform, for an existing aws_iam_role
, you can use the following arguments for the role you want to manage with Opal:
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${IDP_ISSUER_URL}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${IDP_ISSUER_URL}:aud": "${OPAL_CLIENT_ID}"
}
}
}
]
}
POLICY
tags = {
opal = ""
}
You can add policies to the aws_iam_role
via the aws_iam_role_policy_attachment
resource.
Access roles in Opal
Once you've added roles to Opal, you can find and request them easily in the Catalog, or manage them from the Inventory.
![SCR-20230313-mke.png 2312](https://files.readme.io/b6489eef44cf3be25786315ec6844172a58bd6785a580d122fbe9da6f551a9be-aws-iam-role.png)
AWS IAM roles are session based, meaning your end users need to initiate their role-based session by clicking on the Connect button on the resource.
![SCR-20230313-ml0.png 2312](https://files.readme.io/a886c25f2f7cf4ec7b50eff93aea29578e06edb0b5e889d32f75541282ec7c86-aws-connect.png)
Starting an IAM role session.
Once a session is started, can access the AWS Console (the Amazon GUI) directly or update your CLI with this role's permissions.
![Screenshot 2021-02-15 at 9.14.20 PM.png 584](https://files.readme.io/66f3d3d-Screenshot_2021-02-15_at_9.14.20_PM.png)
Using an AWS IAM role session in Opal.
Updated 11 days ago