User restriction from AWS side Skip to main content
https://support.okta.com/help/answers?id=9062a000000qulhqas&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Yarin ChenYarin Chen 

User restriction from AWS side

Is it possible to add to the Role policy on AWS  a condition that only specific users will be able to login to (through okta federation)?
The purpose is to prevent from someone with Active directory permissions or from Okta console with admin permissions, to assign himself to an admin group in AWS. 
So when he assign to the role it want work since the user is not included in the policy.
Matt MaherMatt Maher (Okta, Inc.)
Hi Yarin, you can assign specific AWS roles to Okta users which can limit their access to AWS. You can find details on how this can configured in our AWS and Okta Integration Guide (https://support.okta.com/help/servlet/fileField?retURL=/help/articles/Knowledge_Article/Amazon-Web-Services-and-Okta-Integration-Guide&entityId=ka0F0000000MeyyIAC&field=File_Attachment__Body__s). If you have any further questions specific to your integration I suggest you open a case with our support team.
David ConradDavid Conrad
Hi Yarin,

I too had the same exact question and found a solution through much Googling and some experimentation. As I'm sure you discovered the problem is that accounts are not autoprovisioned in AWS so there is no IAM user that you can assign permissions directly to. The solution is the use the SAML userID (in email format) that is passed in from the SAML assertion.

In the Okta-Admin role you setup in AWS modify the trust relationship (Edit Role - Trust Relationships - Conditions) and add a condition that looks at the SAML:sub attribute which is the SAML subject name which contains the actual user's email.

Here is what I ended up adding.

       "ForAnyValue:StringLike": {
          "SAML:sub": [
            "emailaddress1",
            "emailaddress2"
          ]
        }

Oh, and make sure you have an alternate way of logging in as an admin so you don't lock yourself out during testing and troubleshooting of the policy. ;-)