Configure Session Manager access for federated users using SAML session tags — AWS SSO edition

Why does this article exist? If you are using Okta (funny me too), this AWS blog article should be sufficient. However, you need to be careful if you are using Okta along with AWS SSO because you are managing multiple AWS account under an organization (which I am), you technically is using AWS SSO. If you find this article because you are trying to get Session Manager when your users authenticate using AWS SSO, make sure you read the aforementioned AWS article first before reading this one.

Let’s setup some context:

1. Session Manager allows you to gain console access without setting ssh public keys (which is good because you want your identity provider to handle the authentication, not a static key pair)
2. SAML session tags — if you authenticate with AWS using identity provider, you are likely using SAML. (Yes, there is alternative like OpenID connect; AWS covers those well. ) You can bring along extra attributes in your SAML response, and this is how AWS IAM is propagating those for use in IAM policy (you have to configure those SAML attribute yourselves).
3. How do you debug it when things are not working? Cloudtrail to the rescue, you want to read the event AssumeRoleWithSAML as those principalTags are set over there. (and this is how I remember if I use okta with AWS SSO to assume role with a particular AWS account).

Ok, this is the instruction you need to use. full reference is available here: https://aws.amazon.com/blogs/aws/new-attributes-based-access-control-with-aws-single-sign-on/

1. Go to the principal account that has your AWS SSO setup.
2. Go to Settings, Attributes for access control
3. Add a key “login” with value “${path.userName}” (Note: this is what I need for okta + aws sso, you may need another value if it does not work)