如何使用控制台访问和 saml 创建 aws iam 角色

how to create aws iam role with console access and saml

我一直在看这里的 aws 文档 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html

我可以从 aws 控制台创建一个具有控制台访问权限的角色,我如何使用 aws cloudformation 实现相同的目的。

我在下面创建了 cft,但角色不起作用,看起来它没有控制台访问权限。

{
  "Parameters": {
    "SAMLID": {
      "Type": "String",
      "Description": "SAML IDENTITY PROVIDER ARN"
    }
  },
    "Resources": {
      "FullAdminXME": {
        "Type": "AWS::IAM::Role",
        "Properties": {
            "Description" : "SAML Role for Azure AD SSO",
            "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": 
              {
                "Effect": "Allow",
                "Principal": {
                  "Federated": { "Ref" : "SAMLID" }
                },
                "Action": "sts:AssumeRoleWithSAML",
                "Condition": {
                  "StringEquals": {
                    "SAML:aud": "https://signin.aws.amazon.com/saml"
                  }
                }
              }

          },
          "ManagedPolicyArns": [
            "arn:aws:iam::aws:policy/AdministratorAccess"           
          ]
        }
      },

终于在与 AWS 来回交流之后,我能够解决上述问题 CFT 已正确设置,唯一的问题是 Azure 中的角色名称字符限制为 119,见下文。

"The combined length of the role ARN and the saml-provider ARN for a role being imported must be 119 characters or less"

https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial