AWS AD integration using Pulumi

The active directory configuration in AWS works by defining additional claims during login. Inside active directory you create a rule which looks like this

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"]
=> issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::<rootaccount>:saml-provider/Myorg-ADFS,arn:aws:iam::<rootaccount>:role/Myorg-ADFS-"));

This maps any AD group the user is in starting with AWS- to a AWS IAM Role.

The SAMLProvider’s name must also be Myorg-ADFS otherwise the integration will not work.

The docs are at https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/

Once you have created the AD rules to map your AD group into IAM roles you can just configure the SAML provider.

After we have our SAML provider we need to define the roles which match.

If there are multiple roles then the user will be prompted to select the role.

The next steps is to attach the appropriate policies to each of your roles which you login to.