Enable group-based role mapping in Okta

After importing the Amazon Web Services (AWS) role and management groups into Okta, you need to configure the Okta AWS app to translate AWS role-group membership into entitlements that AWS can understand syntactically.

  1. In the Admin Console, go to Applications > Applications.

  2. Enter AWS in the Search field.

  3. Click AWS Account Federation and click the Sign On tab.
  4. Click Edit in the Settings section.
  5. In the Advanced Sign-on Settings area, select the Use Group Mapping check box if it is not selected already.
  6. Complete these fields:

    • App Filter: Enter a comma separated list of apps for AWS entitlement mapping. This field provides additional security and avoids the issue of rogue admins creating groups following a certain syntax in order to intentionally gain unauthorized access to a specific AWS account or role. If you created your groups in Active Directory, enter active_directory, or enter okta to limit use to local Okta groups. For other applications, you can use values such as: bamboohr for the Bamboo HR app or okta, egnyte for Okta + Egnyte groups.
    • Group Filter: Enter a RegEx expression to filter AWS related groups and extract accountid and role. If you use the default AWS role group syntax (aws#[account alias]#[role name]#[account #]), then you can use this RegEx string:
    ^aws\#\S+\#(?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$

    This RegEx expression logically equates to: find groups that start with AWS, then #, then a string of text, then #, then the AWS role, then #, then the AWS account ID.

    You can also use this RegEx expression:

    aws_(?{{accountid}}\d+)_(?{{role}}[a-zA-Z0-9+=,.@\-_]+)

    If you don't use a default RegEx expression, create a RegEx expression that properly filters your AWS role groups, and captures the AWS role name and account ID within two distinct RegEx groups named {{role}} and {{accountid}}.

    • Role Value Pattern: This field takes the AWS role and account ID captured within the syntax of your AWS role groups and translates it into the proper syntax AWS requires in the Okta SAML assertion. This enables users to view their accounts and roles when they sign in.

    Field syntax:

    arn:aws:iam::${accountid}:saml-provider/[SAML Provider Name],
    arn:aws:iam::${accountid}:role/${role}

    Replace [SAML Provider Name] with the name of the SAML provider for your AWS accounts (see Enable group-based role mapping in Okta). The rest of the string should not be altered, only copied and pasted.

  7. Scroll down and click Save.

Next steps