Role Credential Authorization

ConsoleMe generates a credential authorization mapping that helps it determine who (which users or groups) can access what IAM roles. It can use a combination of IAM role tags and dynamic configuration. Organizations can also write an internal plugin to produce a credential authorization mapping with custom logic. This is configurable, so you can pick and choose which of these methods you will use to generate your mapping.

The mapping generated by ConsoleMe looks like the following:

  "": {
        "authorized_roles": [
        "authorized_roles_cli_only": []
  "": {
    "authorized_roles": [],
    "authorized_roles_cli_only": [

When a user authenticates, ConsoleMe combines all of the roles they're authorized to access based on the user's username and their group memberships.

The roles listed under authorized_roles will be shown to the user in ConsoleMe. They'll be able to log in to the AWS Console with the role, and they can also retrieve credentials for the role via the CLI (Weep).

The roles listed under authorized_roles_cli_only will not be shown to the user in ConsoleMe. However, they'll be able to retrieve credentials via the CLI. Typically, application roles will be listed under this key.


Here's an example configuration that enables all of the flows:

    enabled: true
    required_trust_policy_entity: arn:aws:iam::123456789012:role/consolemeInstanceProfile
      - consoleme-authorized-groups-for-credentials
      - consoleme-owner
      - consoleme-authorized-groups-for-credentials-cli-only
    enabled: true
    enabled: true

The key cloud_credential_authorization_mapping.role_tags.required_trust_policy_entity is an optional configuration value that, if provided, will not include an IAM role in the authorization mapping if it does not allow ConsoleMe to assume the role. You'd need to change this value to the IAM role used by ConsoleMe at your organization.

Last updated