ConsoleMe
GitHub
  • About
  • Architecture
  • Features
    • Credentials
      • AWS Console Login
      • AWS Credential Broker
    • Policy Management
      • Policies View
      • Policy Editor for IAM, SQS, SNS, and S3
      • Self-Service IAM Wizard
      • Policy Request - Review Page
      • Role Creation and Cloning
  • Demo
  • Quick Start
    • Docker
    • Local
  • Prerequisites
    • Required IAM Permissions
      • Central Account
      • Spoke Accounts
  • Configuration
    • Web App Authentication and Authorization
      • Local Development (Auth bypass)
      • ALB Auth (Recommended)
      • Retrieving Google Groups
      • OIDC/OAuth2
        • Cognito
        • Okta
      • SAML
      • Plain-Text Headers
    • Role Credential Authorization
      • Role Tags
        • Role Tagging Service Control Policy (Recommended)
      • Role Authorization through Dynamic Configuration
      • Custom Authorization (Internal Plugin)
    • Account Syncing
    • Metrics
    • Dynamic Configuration
    • AWS Resource Syncing
    • CLI Authentication
    • Sending email through SES
    • AWS Secret Manager Integration
    • CloudTrail Integration via AWS Event Bridge
    • Slack Notifications
  • Celery Tasks
    • Celery Flower
  • Development Guide
    • UI Components
    • Managing Dependencies
  • Deployment Strategies
  • Contributing
  • FAQ
  • License
  • Security
  • Weep CLI
    • Getting Started with Weep
    • AWS Credentials in the CLI using Weep and ConsoleMe
    • Configuration
    • Commands
      • List
      • Serve
      • Export
      • File
      • Credential Process
    • Assuming Roles
    • Advanced Configuration
      • Routing for Metadata Service
      • Shell Completion
Powered by GitBook
On this page

Was this helpful?

  1. Configuration
  2. Role Credential Authorization

Role Tags

PreviousRole Credential AuthorizationNextRole Tagging Service Control Policy (Recommended)

Last updated 3 years ago

Was this helpful?

We highly recommend establishing a set of role tags that will help ConsoleMe determine which users are authorized to get credentials and/or console access. These would be defined in your configuration YAML files () under the cloud_credential_authorization_mapping key.

Here's an example configuration:

cloud_credential_authorization_mapping:
  role_tags:
    enabled: true
    authorized_groups_tags:
      - consoleme-authorized
    authorized_groups_cli_only_tags:
      - consoleme-owner-dl
      - consoleme-authorized-cli-only

Once this is set up, you'd define the list of users / groups that are authorized to access the role in your role tags. If multiple users or groups need access to a role, you must delimit them by a colon (:). Commas, unfortunately, are not valid characters in tag values.

Here's a role's tag set using the above configuration. This tag set would allow a group or user named consoleme_admins and one named consoleme_users to get access to this role by both the CLI and via ConsoleMe's web interface. The users usera@example.com and userb@example.com would have access to this role's credentials via the CLI only.

Make sure that ConsoleMe and your administrative users are the only ones able to manipulate these tags. We recommend using an to restrict it.

SCP
examples