Panfactum LogoPanfactum
Infrastructure ModulesDirect ModulesAWSaws_iam_identity_center_permissions
aws_iam_identity_center_permissions
Stable
Direct
Source Code Link

AWS IAM Identity Center Permissions

Creates the three core permission tiers for each AWS account:

  1. superusers: Maps to the arn:aws:iam::aws:policy/AdministratorAccess managed policy.
  2. admins: Maps to a role that has admin access to most items, but attempts to block permissions that could create obvious security problems or delete key infrastructure.
  3. readers: Read-only access to the specific subset of AWS resources used in the Panfactum stack.
  4. restricted_readers: Same as readers but prevents reading sensitive values.
  5. billing_admins: Allows a user to control payment and billing settings but not live infrastructure.

Usage

Adjusting Session Durations

There are two different expiration times to keep in mind when using AWS IAM Identity Center:

  • The AWS session expiration time: How often you need to get a new AWS session token
  • The SAML authentication expiration time: How often you need to re-authenticate with your upstream IdP

When using tools like the AWS CLI, AWS sessions will automatically be renewed so long as your SAML authentication is not expired.

As a result, the SAML authentication expiration time is going to be the value that most impacts your user ergonomics. To adjust this value, you will need to follow this guide.

Since it automatically renews, we recommend keeping the AWS session expiration time fairly short (1 hour). This provides a small improvement to security as this decreases the useful lifetime of stolen session tokens. You can adjust the value via the session_duration_hours input.

Providers

The following providers are needed by this module:

  • aws (5.70.0)

  • pf (0.0.3)

Required Inputs

The following input variables are required:

account_access_configuration

Description: Configuration for assigning access to various AWS accounts via Identity Center

Type:

map(object({
    account_id               = string
    superuser_groups         = list(string)
    admin_groups             = optional(list(string), [])
    reader_groups            = optional(list(string), [])
    restricted_reader_groups = optional(list(string), [])
    billing_admin_groups     = optional(list(string), [])
  }))

Optional Inputs

The following input variables are optional (have default values):

session_duration_hours

Description: The number of hours that AWS sessions will last. This is NOT the time before needing to re-authenticate with your IdP, but rather the amount of time that AWS session tokens last before expiring.

Type: number

Default: 12

Outputs

The following outputs are exported:

cli_config

Description: To be used by the 'pf-aws-update --build' script

Maintainer Notes

No notes