I am trying to integrate Okta with AWS, to use Okta as the identity provider for my AWS accounts. However, instead of statically configuring roles in the AWS account that can be assumed by the user, I want the roles to be created dynamically through a server-backend, whose code is owned by me, and then assigned to the user. Is there a way to do this?
You gotta use the Okta integration with AWS Account Federation from this link. Then, try making a POC to check if this thing works. Check out this doc, it might not have all the answers, but it’s pretty close.
Since you’re setting up roles dynamically in AWS, take a look at this section in the documentation. It talks about making Okta groups with specific names and adding these groups to the AWS Federation app for each AWS role in every account where you want users to have access.
There’s no perfect or official document available yet; it’s more of a trial-and-error thing to create a POC. But, with a bit of trial and experimentation, it should be doable
Isn’t there a way to somehow redirect the SAML Assertion token to our server-backend, enrich it as per our requirement, and then send it back to Okta, so that Okta now can send the enriched SAML Assertion token to AWS??