ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Configuration

Role Credential Authorization

PreviousPlain-Text HeadersNextRole Tags

Last updated 3 years ago

Was this helpful?

ConsoleMe generates a credential authorization mapping that helps it determine who (which users or groups) can access what IAM roles. It can use a combination of and . Organizations can also write an to produce a credential authorization mapping with custom logic. This is configurable, so you can pick and choose which of these methods you will use to generate your mapping.

The mapping generated by ConsoleMe looks like the following:

{
  "group@example.com": {
        "authorized_roles": [
          "arn:aws:iam::123456789012:role/ConsoleRole"
        ],
        "authorized_roles_cli_only": []
      },
  "user@example.com": {
    "authorized_roles": [],
    "authorized_roles_cli_only": [
      "arn:aws:iam::123456789012:role/ApplicationRole"
    ]
  }
}

When a user authenticates, ConsoleMe combines all of the roles they're authorized to access based on the user's username and their group memberships.

The roles listed under authorized_roles will be shown to the user in ConsoleMe. They'll be able to log in to the AWS Console with the role, and they can also retrieve credentials for the role via the CLI ().

The roles listed under authorized_roles_cli_only will not be shown to the user in ConsoleMe. However, they'll be able to retrieve credentials via the CLI. Typically, application roles will be listed under this key.

Configuration

Here's an example configuration that enables all of the flows:

cloud_credential_authorization_mapping:
  role_tags:
    enabled: true
    required_trust_policy_entity: arn:aws:iam::123456789012:role/consolemeInstanceProfile
    authorized_groups_tags:
      - consoleme-authorized-groups-for-credentials
    authorized_groups_cli_only_tags:
      - consoleme-owner
      - consoleme-authorized-groups-for-credentials-cli-only
  dynamic_config:
    enabled: true
  internal_plugin:
    enabled: true

The key cloud_credential_authorization_mapping.role_tags.required_trust_policy_entity is an optional configuration value that, if provided, will not include an IAM role in the authorization mapping if it does not allow ConsoleMe to assume the role. You'd need to change this value to the IAM role used by ConsoleMe at your organization.

IAM role tags
dynamic configuration
internal plugin
Weep