I have our IAM Identity Center SSO set up at our AWS organization. Our team uses SSO to switch different accounts through the console or programmatic access.
My question is how to allow our script can access AWS resources in Account A and Account B using Account A temporary credentials.
I know for IAM users, I can set up a Permission(IAM policy) and trust relations on Account A (Part 1), and then on Account B attach a policy to this IAM user to assume this Role that set up on Account A (Part 2). I don't have any problem when setting up assume Role for IAM user.
But since we are using SSO Federated User, I can set up part 1 which set up the Role on Account A: An Role including a Permission and trust relationship, which should use the Identity provider as Principal.
"Principal":"Federated":"arn:aws:iam::Account_B:samlprovider/AWSSSO_xxxxxxxxxxxxxxxxx_DO_NOT_DELETE"
But I don't know how could I do the part 2, let this Role can be assumed at this Idp.
From what I have read at AWS document: Configuring SAML assertions for the authentication response
Configure SAML claims that include information about the user. The claims are bundled into a SAML assertion and included in the SAML response that is sent to AWS
So where I can configure this SAML Claims? I know AWS SAML provide so many attributes seems related to this, but I m not able to find any entry to work on it.
The reason I want this, is because we have a script, and we usually export the aws credential through SSO programmatic access, but this only will allow us to access the aws resource under account A....
I want to after exporting the AWS credential, the script can access resources not only on account A but also on account B.
I don't know if I misunderstood all the things, but if any AWS expert can point me out, thanks in advance!
I also read the links below: Overview of the role to allow SAML-federated access to your AWS resources
