AWS AD integration using Pulumi
The active directory configuration in AWS works by defining additional claims during login. Inside active directory you create a rule which looks like this
c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::<rootaccount>:saml-provider/Myorg-ADFS,arn:aws:iam::<rootaccount>:role/Myorg-ADFS-"));
This maps any AD group the user is in starting with
AWS- to a AWS IAM Role.
The SAMLProvider’s name must also be
Myorg-ADFS otherwise the integration will not work.
Once you have created the AD rules to map your AD group into IAM roles you can just configure the SAML provider.
After we have our SAML provider we need to define the roles which match.
If there are multiple roles then the user will be prompted to select the role.
The next steps is to attach the appropriate policies to each of your roles which you login to.