AWS AD integration using Pulumi

Jake Ginnivan
1 min readJun 13, 2021

The active directory configuration in AWS works by defining additional claims during login. Inside active directory you create a rule which looks like this

c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"]
=> issue(Type = "", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::<rootaccount>:saml-provider/Myorg-ADFS,arn:aws:iam::<rootaccount>:role/Myorg-ADFS-"));

This maps any AD group the user is in starting with AWS- to a AWS IAM Role.

The SAMLProvider’s name must also be Myorg-ADFS otherwise the integration will not work.

The docs are at

Once you have created the AD rules to map your AD group into IAM roles you can just configure the SAML provider.

After we have our SAML provider we need to define the roles which match.

If there are multiple roles then the user will be prompted to select the role.

The next steps is to attach the appropriate policies to each of your roles which you login to.



Jake Ginnivan

Co-Founder | Principal Consultant | Previously Tech Lead Seven West Media WA | International Speaker | OSS | Mentor