Enable group-based role mapping in Okta
After importing the Amazon Web Services (AWS) role and management groups, configure the Okta AWS app to translate AWS role-group membership into entitlements that AWS can understand syntactically.
-
In the Admin Console, go to .
-
Enter AWS in the Search field.
- Click AWS Account Federation, and then select the Sign On tab.
- Click Edit in the Settings section.
- Under Advanced Sign-on Settings, make sure that Use Group Mapping is selected.
-
Complete these fields:
- App Filter: Enter a comma-separated list of apps for AWS entitlement mapping. This field provides extra security and avoids the issue of rogue admins creating groups following a certain syntax to gain unauthorized access to an AWS account or role. If you created your groups in Active Directory, enter
active_directory, or enteroktato limit use to local Okta groups. For other applications, you can use values such as:bamboohrfor the Bamboo HR app orokta,egnytefor Okta + Egnyte groups. - Group Filter: Enter a regular expression to filter AWS-related groups and extract the accountid and role. If you use the default AWS role group syntax (
aws#[account alias]#[role name]#[account #]), then you can use this Regex string: - Role Value Pattern: This field takes the AWS role and account ID format and translates it into the proper syntax AWS requires in the Okta SAML assertion. This enables users to view their accounts and roles when they sign in.
- Click Save.
^aws\#\S+\#(?{{role}}[\w\-]+)\#(?{{accountid}}\d+)$
This Regex expression logically equates to: find groups that start with AWS, then #, then a string of text, then #, then the AWS role, then #, then the AWS account ID.
You can also use this Regex expression:
aws_(?{{accountid}}\d+)_(?{{role}}[a-zA-Z0-9+=,.@\-_]+)
If you don't use a default Regex expression, create on that properly filters your AWS role groups. The expression should capture the AWS role name and account ID within two distinct Regex groups named {{role}} and {{accountid}}.
Field syntax:
arn:aws:iam::${accountid}:saml-provider/[SAML Provider Name],arn:aws:iam::${accountid}:role/${role}
Replace [SAML Provider Name] with the name of the SAML provider for your AWS accounts. The rest of the string shouldn't be altered, only copied and pasted.