Role Credential Authorization

ConsoleMe generates a credential authorization mapping that helps it determine who (which users or groups) can access what IAM roles. It can use a combination of IAM role tags and dynamic configuration. Organizations can also write an internal plugin to produce a credential authorization mapping with custom logic. This is configurable, so you can pick and choose which of these methods you will use to generate your mapping.

The mapping generated by ConsoleMe looks like the following:

{
  "group@example.com": {
        "authorized_roles": [
          "arn:aws:iam::123456789012:role/ConsoleRole"
        ],
        "authorized_roles_cli_only": []
      },
  "user@example.com": {
    "authorized_roles": [],
    "authorized_roles_cli_only": [
      "arn:aws:iam::123456789012:role/ApplicationRole"
    ]
  }
}

When a user authenticates, ConsoleMe combines all of the roles they're authorized to access based on the user's username and their group memberships.

The roles listed under authorized_roles will be shown to the user in ConsoleMe. They'll be able to log in to the AWS Console with the role, and they can also retrieve credentials for the role via the CLI (Weep).

The roles listed under authorized_roles_cli_only will not be shown to the user in ConsoleMe. However, they'll be able to retrieve credentials via the CLI. Typically, application roles will be listed under this key.

Configuration

Here's an example configuration that enables all of the flows:

cloud_credential_authorization_mapping:
  role_tags:
    enabled: true
    required_trust_policy_entity: arn:aws:iam::123456789012:role/consolemeInstanceProfile
    authorized_groups_tags:
      - consoleme-authorized-groups-for-credentials
    authorized_groups_cli_only_tags:
      - consoleme-owner
      - consoleme-authorized-groups-for-credentials-cli-only
  dynamic_config:
    enabled: true
  internal_plugin:
    enabled: true

The key cloud_credential_authorization_mapping.role_tags.required_trust_policy_entity is an optional configuration value that, if provided, will not include an IAM role in the authorization mapping if it does not allow ConsoleMe to assume the role. You'd need to change this value to the IAM role used by ConsoleMe at your organization.