Menu
AWS Identity and Access Management
User Guide

Creating a Role for a Third-Party Identity Provider (Federation)

Identity federation provides access to AWS resources to users by means of a third-party identity provider (IdP). To set up identity federation, you configure the provider and then create an IAM role that determines what permissions a federated user will have. For more information about federation and identity providers, see Identity Providers and Federation.

Creating a Role for Federated Users (Console)

The steps for creating a role for federated users depend on your choice of third-party providers:

Creating a Role for Federated Access (AWS CLI)

The steps to create a role for the supported identity providers (OIDC or SAML) from the AWS CLI are identical. The difference is in the contents of the trust policy that you create in the prerequisite steps. Begin by following the steps in the Prerequisites section for the type of provider you are using:

Creating a role from the AWS CLI involves multiple steps. When you use the console to create a role, many of the steps are done for you, but with the AWS CLI you must explicitly perform each step yourself. You must create the trust policy first, create the role, and then assign a permission policy to the role.

To create a role (AWS CLI)

  1. To create a role: aws iam create-role

  2. To attach a permission policy to the role:

    aws iam attach-role-policy to attach an existing managed policy

    or

    aws iam put-role-policy to create an inline policy

The following example shows all the steps in a simple environment. The example assumes that you are running the AWS CLI on a computer running Windows, and have already configured the AWS CLI with your credentials. For more information, see Configuring the AWS Command Line Interface.

The commands to run are the following:

# Create the role and attach the trust policy that enables users in an account to assume the role. $ aws iam create-role --role-name Test-CrossAcct-Role --assume-role-policy-document file://trustpolicyforcognitofederation.json # Attach the permissions policy to the role to specify what it is allowed to do. aws iam put-role-policy --role-name Test-CrossAcct-Role --policy-name Perms-Policy-For-CognitoFederation --policy-document file://permspolicyforcognitofederation.json

Creating a Role for Federated Access (AWS API)

Before you create the role, you must follow the steps in the prerequisites section for the type of provider you are using:

To create a role for identity federation (AWS API)

  1. To create a role: CreateRole

  2. To attach a permission policy to the role:

    AttachRolePolicy to attach an existing managed policy

    or

    PutRolePolicy to create an inline policy