AWS IAM Identity Center Groups

This guide will walk you through integrating Common Fate with Amazon Web Services (AWS). By the end of this guide, you’ll have a functioning integration with Common Fate, allowing it to grant temporary access to IAM Identity Center groups.

Prerequisites

Support for managing IAM Identity Center group assignments requires the following minimum software versions:

• Common Fate deployment module v1.10.0
• Common Fate application version v1.2.0
• Common Fate Terraform Provider v2.8.0

You’ll also need to have installed our AWS integration beforehand. You can do so by following our guide here.

Finally, you’ll need to ensure that the idc_identity_store_id variable is set in your provisioner config. This variable was added in module version v1.10.0, so if your initial deployment of Common Fate was on an earlier version it may not be set.

module "common-fate-deployment" {
  source = "common-fate/common-fate-deployment/aws"
  version = "<your module version (must be at least v1.12.0)>"

  provisioner_aws_idc_config = {
    idc_instance_arn      = "<Your Identity Center Instance ARN>"
    idc_region            = "<Your Identity Center Region>"
    role_arn              = "<ARN of the Common Fate Provision IAM role>"
    idc_identity_store_id = "d-123456789 (replace with your actual identity store ID)"
  }
  ... other variables
}

AWS Setup

In order to grant access to IAM Identity Center groups, the Common Fate provisioner requires some additional AWS IAM permissions:

• identitystore:CreateGroupMembership
• identitystore:DeleteGroupMembership
• identitystore:ListGroupMembershipsForMember
• identitystore:IsMemberInGroups
• identitystore:ListGroupMemberships

Using our AWS integration Terraform module, you can enable these permissions by setting the permit_group_assignment variable to true:

module "common-fate-aws-roles" {
  source                               = "common-fate/common-fate-deployment/aws//modules/aws-idc-integration/iam-roles"
  version                              = "<your module version (must be at least v1.10.0)>"
  common_fate_aws_reader_role_arn       = module.common-fate.control_plane_task_role_arn
  common_fate_aws_provisioner_role_arn  = module.common-fate.provisioner_task_role_arn
 permit_group_assignment               = true
}

Next, you’ll need to let Common Fate know that the provisioner is capable of assigning access to IAM Identity Center groups. You can do so by adding a capability to the provisioner in the application Terraform config:

resource "commonfate_webhook_provisioner" "aws" {
  url = <The provisioner URL output from the provisioner module>
  capabilities = [
    {
      target_type = "AWS::Account"
      role_type   = "AWS::IDC::PermissionSet"
      belonging_to = {
        type = "AWS::Organization"
        id   = "<Your AWS Organization ID>"
      }
    },
    {
     target_type = "AWS::IDC::Group"
     role_type   = "AWS::IDC::GroupRole"
     belonging_to = {
       type = "AWS::Organization"
       id   = "<Your AWS Organization ID>"
     }
   },
  ]
}

You can now create an access workflow and availabilities:

resource "commonfate_access_workflow" "aws" {
  name                     = "aws"
  access_duration_seconds  = 60 * 60 * 2
  priority                 = 1
}

resource "commonfate_aws_idc_group_selector" "select_all" {
  id                  = "select_all_idc_groups"
  name                = "All IAM Identity Center groups"
  aws_organization_id = "<Your AWS Organization ID>"
  when                = "true"
}

resource "commonfate_aws_idc_group_availabilities" "aws" {
  workflow_id             = commonfate_access_workflow.aws.id
  aws_idc_group_selector_id = commonfate_aws_idc_group_selector.select_all.id
  aws_identity_store_id   = "<Your Identity Store ID>"
}

IAM Identity Center group selectors

To make IAM Identity Center groups available for Just-In-Time (JIT) access you can add a commonfate_aws_idc_group_selector Selector resource to your Common Fate application Terraform code. As shown below, the when clause in the resource is a Cedar expression. You can use any Cedar operator in the when clause, such as && and || to combine conditions.

You’ll need to use the commonfate_aws_idc_group_selector in conjunction with a commonfate_aws_idc_group_availabilities and commonfate_access_workflow resources, as shown above.

We’ve included some examples below.

Select a group by ID

resource "commonfate_aws_idc_group_selector" "example" {
  id        = "example"
  name      = "Example"
  when                = <<EOT
  resource == AWS::IDC::Group::"093e8448-a061-7028-7a07-cc44551e00f1"
  EOT
}

Select multiple groups by ID

resource "commonfate_aws_idc_group_selector" "example" {
  id        = "example"
  name      = "Example"
  when                = <<EOT
  resource == AWS::IDC::Group::"093e8448-a061-7028-7a07-cc44551e00f1" || resource == AWS::IDC::Group::"09cef4c8-f0f1-7012-c7e4-75867b4f83aa"
  EOT
}

Select a group based on a naming pattern

Select groups with a name ending in -prod:

resource "commonfate_aws_idc_group_selector" "example" {
  id        = "example"
  name      = "Example"
  when                = <<EOT
  resource.name like "*-prod"
  EOT
}

Select groups with a name beginning with Develop:

resource "commonfate_aws_idc_group_selector" "example" {
  id        = "example"
  name      = "Example"
  when                = <<EOT
  resource.name like "Develop*"
  EOT
}