Skip to main content
This guide assumes you’ve already configured your AWS organization in Opal.

Add a role

Use the following steps to connect an IAM role to Opal.

Trust policy

You must use the following trust policy for your role, substituting as follows:
  • ${ACCOUNT_ID}: The account ID of the account being configured.
  • ${IDP_ISSUER_URL}: The Identity Provider’s issuer URL
  • ${OPAL_CLIENT_ID}: The Client ID assigned to Opal via your IdP.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${IDP_ISSUER_URL}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${IDP_ISSUER_URL}:aud": "${OPAL_CLIENT_ID}"
        }
      }
    }
  ]
}

Create a role

Here is an example invocation for creating a role with the above trust policy file: 
MyRoleWithPoliciesToBeManagedByOpal \ --assume-role-policy-document
file://trust_policy.json \ --tags Key=opal,Value="" \ --description "My role
containing policies to be managed by Opal"

Attach policies to a role

Next, attach all the policies you want to show up in Opal under this role. You can do this in the AWS Console:

Terraform

If you use Terraform, for an existing aws_iam_role, you can use the following arguments for the role you want to manage with Opal: 
assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${IDP_ISSUER_URL}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${IDP_ISSUER_URL}:aud": "${OPAL_CLIENT_ID}"
        }
      }
    }
  ]
}
POLICY

tags = {
  opal = ""
}
You can add policies to the aws_iam_role via the aws_iam_role_policy_attachment resource.

Access roles in Opal

Import roles by selecting the > Import items from the Inventory. After you’ve imported roles to Opal, users can request them from the Catalog and you can manage them from the Inventory. 2312 AWS IAM roles are session-based, so your end users need to initiate their role-based session by clicking on the Connect button on the resource.
Once a session is started, you can access the AWS Console (the Amazon GUI) directly or update your CLI with this role’s permissions.