Is it possible to add to the Role policy on AWS a condition that only specific users will be able to login to (through okta federation)? The purpose is to prevent from someone with Active directory permissions or from Okta console with admin permissions, to assign himself to an admin group in AWS. So when he assign to the role it want work since the user is not included in the policy.
Hi Yarin, you can assign specific AWS roles to Okta users which can limit their access to AWS. You can find details on how this can configured in our AWS and Okta Integration Guide (https://support.okta.com/help/servlet/fileField?retURL=/help/articles/Knowledge_Article/Amazon-Web-Services-and-Okta-Integration-Guide&entityId=ka0F0000000MeyyIAC&field=File_Attachment__Body__s). If you have any further questions specific to your integration I suggest you open a case with our support team.
I too had the same exact question and found a solution through much Googling and some experimentation. As I'm sure you discovered the problem is that accounts are not autoprovisioned in AWS so there is no IAM user that you can assign permissions directly to. The solution is the use the SAML userID (in email format) that is passed in from the SAML assertion.
In the Okta-Admin role you setup in AWS modify the trust relationship (Edit Role - Trust Relationships - Conditions) and add a condition that looks at the SAML:sub attribute which is the SAML subject name which contains the actual user's email.