Menu
AWS Identity and Access Management
User Guide

Creating a Role for a Third-Party Identity Provider (Federation)

Identity federation provides access to AWS resources to users by means of a third-party identity provider (IdP). To set up identity federation, you configure the provider and then create an IAM role that determines what permissions a federated user will have. For more information about federation and identity providers, see Identity Providers and Federation.

Creating a Role for Federated Users (AWS Management Console)

The steps for creating a role for federated users depends on your choice of third-party providers:

Creating a Role for Federated Access (AWS Command Line Interface)

The steps to create a role for the supported identity providers (OIDC or SAML) from the AWS CLI are identical; —the difference is in the contents of the trust policy that you create in the prerequisite steps. Begin by following the steps in the Prerequisites section for the type of provider you are using:

Creating a role from the AWS CLI involves multiple steps. When you use the console to create a role, many of the steps are done for you, but with the CLI you must explicitly perform each step yourself. You must create the trust policy first, create the role, and then assign an access policy to the role.

To create a role using the AWS CLI

Use the following commands:

The following example shows all the steps in a simple environment. The example assumes that you are running the AWS CLI on a computer running Windows, and have already configured the AWS CLI with your credentials. For more information, see Configuring the AWS Command Line Interface.

The commands to run are the following:

Copy
# Create the role and attach the trust policy that enables users in an account to assume the role. aws iam create-role --role-name Test-CrossAcct-Role --assume-role-policy-document file://C:\policies\trustpolicyforcognitofederation.json # Attach the permissions policy to the role to specify what it is allowed to do. aws iam put-role-policy --role-name Test-CrossAcct-Role --policy-name Perms-Policy-For-CognitoFederation --policy-document file://c:\policies\permspolicyforcognitofederation.json

Creating a Role for Federated Access (Tools for Windows PowerShell)

The steps to create a role for the supported identity providers (OIDC or SAML) is identical; the difference is in the contents of the trust policy you create in the prerequisite steps. Follow the steps in the Prerequisites section for the type of provider you are using:

Creating a role using the Tools for Windows PowerShell involves multiple steps. When you use the console to create a role, many of the steps are done for you, but with the Tools for Windows PowerShell you must explicitly perform each step yourself. You must create the trust policy first, create the role, and then assign an access policy to the role.

To create a role using the Tools for Windows PowerShell

Use the following commands:

The following example shows all of the steps in a simple environment. The example assumes that you have already configured the Tools for Windows PowerShell with your credentials. For more information, see Using AWS Credentials.

The commands to run are the following:

Copy
# Create the role and attach the trust policy that enables users in an account to assume the role. New-IAMRole -RoleName Test-Federation-Role -AssumeRolePolicyDocument (Get-Content -Raw C:\policies\trustpolicyforfederation.json) # Attach a managed permissions policy to the role to specify what it is allowed to do. Register-IAMRolePolicy -RoleName Test-Federation-Role -PolicyArn arn:aws:iam::aws:policy/PolicyForFederation

Creating a Role for Federated Access (IAM API)

Before you create the role, you must follow the steps in the Prerequisites section for the type of provider you are using:

To create a role for identity federation using the IAM API

Use the following commands: