Configure AWS Roles in JumpCloud with Constant Attributes

Admins can configure AWS roles in JumpCloud using constant attributes. Configuring AWS roles with constant attributes works well if users need access to the same collection of roles. This method produces multiple connectors, each with their own collection of roles.

Prerequisites 

Considerations

  • This article does not apply to AWS IAM (successor to AWS SSO)
  • You need to create a separate AWS SSO connector for each collection of roles. 

Creating AWS Roles with Constant Attributes

To configure roles in JumpCloud using constant attributes

  1. Log in to the Admin Portal: https://console.jumpcloud.com.
  2. Go to Applications, then select the AWS connector to open the connector's details panel. 
  3. In Constant Attributes, replace the string in the second value with the ARN for the role and then the ARN for the identity provider separated by a comma.  For example: arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:role/ROLE_NAME,arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:saml-provider/JumpCloud
  4. Click add attribute for each additional role this connector should provide access to.  
  5. Under Service Provider Attribute Name, enter https://aws.amazon.com/SAML/Attributes/Role for each additional attribute.
  6. Under Value enter the ARN values that represent your AWS roles.
  7. Click save to commit new role mappings.

Isolating User Access

After you define and map IAM Roles in Amazon to the Single Sign On (SSO) Amazon AWS connector, you need to decide how user access is isolated to these resources. 

The above diagram example shows the following environment:
 

User Group 1

Users in group 1 are authorized to access AWS Connector A. When users from group 1 log in to their User Portal, they see one AWS connector. When a user clicks on the AWS connector, they can choose either the Admin or User role.
 

User Group 2

Users in group 2 are authorized to access AWS Connectors A and B. They have two AWS applications to choose from in their User Portal.  If a user selects AWS Connector A, the user gets to choose either the Administrator or User role. If a user selects AWS Connector B, the user gets to choose the Support or Read Only role.
 

User Group 3

Users in group 3 are authorized to access AWS Connector B. They see one AWS connector when they log in to their User Portal. When a user selects AWS Connector B, the user gets to choose the Support or Ready Only role. 

User Experience

Note:

After the SSO connector is created and your roles are configured, make sure to authorize user access. See Authorize Users to an SSO App

When you use constant attributes to create roles, the user experience can vary. This section describes two typical experiences.

Single Amazon AWS Connector with Multiple Roles

After using SP-initiated or IdP-initiated authentication to log in, the user is presented an Amazon IAM page to select the role that they’d like to use.

Multiple Amazon AWS Connectors

After a user logs in to the JumpCloud User Portal, they can choose which AWS SSO connector to use. Make sure to use distinctive and informative Display Labels to make it easy for users to identify similar connectors.

Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case