SAML.to
  • Introduction
  • Installation
  • Configuration
    • Identity Providers
      • GitHub
    • Service Providers
      • AWS (Federated Roles)
        • Assuming Roles
          • AWS CLI
          • AWS SDKs
          • Docker
          • Terraform
          • Kubernetes
        • Adding Users
        • Adding AWS Accounts
        • Adding Roles
        • Roles for GitHub Actions
    • Configuration Reference
      • Substitutions
  • FAQs
  • Usage
    • CLI
      • login
      • assume
      • list-roles
    • GitHub Actions
      • Assume AWS Role Action
      • Config Sync Action
  • Advanced Usage
    • AWS
      • CloudWatch Dashboard Sharing
Powered by GitBook
On this page
  • Prerequisites
  • Add or Update an IAM Role
  • Update saml-to.yml
  1. Configuration
  2. Service Providers
  3. AWS (Federated Roles)

Adding Roles

PreviousAdding AWS AccountsNextRoles for GitHub Actions

Last updated 2 years ago

Prerequisites

to your GitHub Organization or User Account

Add or Update an IAM Role

Create a new role
  1. Navigate to

  2. Click Create Role

    1. Trusted entity type: SAML 2.0 federation

    2. SAML 2.0-based provider: Choose the provider.

      1. If SAML.to isn't in the list, .

    3. Allow programmatic and AWS Management Console access

    4. Attribute: SAML:aud

    5. Value: https://signin.aws.amazon.com/saml

  3. Continue the remaining steps to create the role

  4. Copy the Role ARN

Use an existing role
  1. Copy the Provider ARN of SAML.to from

    1. If SAML.to isn't in the list, .

  2. Choose a role in

  3. Click the Trust Relationships tab

  4. Click Edit trust policy

  5. Add a Statement, update the policy, and make note of the Provider ARN

{
  "Effect": "Allow",
  "Principal": {
      "Federated": "THE_PROVIDER_ARN"
  },
  "Action": "sts:AssumeRoleWithSAML",
  "Condition": {
      "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
      }
  }
}

Update saml-to.yml

Add the following the following block to permissions.aws.roles to saml-to.yml:

      - name: THE-ROLE-ARN
        provider:
          variables:
            providerArn: THE-PROVIDER-ARN
        users:
          github:
            - some-github-user
            - another-github-user
        repos:
          github:
            - some-repo
            - another-org/some-other-repo
Ensure SAML.to is installed
AWS IAM Roles
add SAML.to to the AWS account first
AWS IAM Providers
add SAML.to to the AWS account first
AWS IAM Roles