Collective,
Deep question here. Hopefully I can explain it.
We will have two (or three) AWS accounts. SAML auth is enabled. I am
performing a custom attribute lookup to determine the role name.
With a single environment, lets say DEV, this works fine.
Hit the vanity url aws.company.com, attribute lookup for role (dev_aws_
admin for example), SAML assertion correctly constructed and passed to
AWS.

The problem comes when you mix DEV and STAGE. With the ability to have
only one SAML provider for AWS, the javascript that constructs the role
and arn attributes to pass AWS has no way of knowing what environment to
pass, or which values to look up.

Has anyone tried to deal with any multi tenant issues before? If so, how
did you address them? Setting up static roles on NAM isn't really a
solution for me, DEV has around 60+ roles defined.

Thanks!
Joe

function main(P1) {
var account_map = {
'lab' : 'long_number',
'stg' : 'second_long_number',
'prod' : '?'
};

// console.log("P1 value: [ " + P1 + " ]");
var account_type = 'lab'; // can be changed to 'dev' or 'prod' for
other entries
var role_arn = 'arn:aws:iam::' + account_map[account_type] +
':role/';
var provider_arn = 'arn:aws:iam::' + account_map[account_type] +
':saml-provider/IDP';
var list;
if(P1 && P1.split) {
list = P1.split(",")
} else {
if(P1) {
list = P1 // list is maybe already an array?
}
}
var aws_roles = [];
list.filter(
function(element, _, _) {
if(element.indexOf(account_type) >= 0) {
return element
}
}).map(
function(element, _, _) {
var aws_role = role_arn + element + ',' + provider_arn
aws_roles.push(aws_role)
});
return aws_roles
};

// console.log(main(P1))


--
jsullivan
------------------------------------------------------------------------
jsullivan's Profile: https://forums.netiq.com/member.php?userid=1450
View this thread: https://forums.netiq.com/showthread.php?t=57695