1

I'm trying to limit the possibility of adding new providers to an AWS account. I'm also using Bitbucket to deploy my app via Bitbucket Pipelines and I use OpenID Connect as a secure way for the deployments.

Now I have created a SCP to deny creation/deletion of IAM user and adding/deletion of providers. In this SCP I want to make an exception, it the URL for the IDP is a specific one, it should be allowed in all accounts to create or delete this provider.

Thing is, I don't understand, why my condition is not working. Any hints?

Thx!

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Action": [
        "iam:CreateGroup",
        "iam:CreateLoginProfile",
        "iam:CreateOpenIDConnectProvider",
        "iam:CreateSAMLProvider",
        "iam:CreateUser",
        "iam:DeleteAccountPasswordPolicy",
        "iam:DeleteSAMLProvider",
        "iam:UpdateSAMLProvider"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringNotEquals": {
          "iam:OpenIDConnectProviderUrl": [
            "https://api.bitbucket.org/2.0/workspaces/my-workspace-name/pipelines-config/identity/oidc"
          ]
        }
      }
    }
  ]
}
kapale
  • 535
  • 1
  • 7
  • 15
  • What would make you think it should work? Why do you think `iam:OpenIDConnectProviderUrl` is a valid condition key? https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagement.html – luk2302 Feb 15 '23 at 15:49
  • To be honest, I got that code with the "this should work". Thank you for your link, which helped a lot. But still, currently I don't have any idea if and how it is possible to allow only providers to manage which are connecting to the OpenIDConnector from bitbucket. Any further hint for me? – kapale Feb 23 '23 at 09:41
  • You don't do that, IAM does not support that. Either you allow the creation of OIDC providers or you don't, you can very rarely have conditions based on the content of the operation / resource rather than the general metadata, like originating IP, org membership, etc. – luk2302 Feb 23 '23 at 09:54

0 Answers0