Create an external identity provider in AWS IAM/Access management/identity_providers/
create a SAML type identity_providers
Set up an external identity provider in AWS AWS SSO/Settings
Configure SAML SSO in your own identity provider Create AWS IAM role Access Management/SAML 2.0 Federation
set the provider you created above as the SAML provider. Select Allow programmatic and AWS Management Console access.
On the Attach Permission Policies page, select the appropriate policies to attach to the role.
AWS leverages a standard JSON Identity and Access Management (IAM)
policy document format across many services to control authorization
to resources and API actions
terraform https://www.terraform.io/docs/providers/aws/r/iam_role_policy.html
resource "aws_iam_role_policy" "s3_policy" { name = "s3_policy" role = "${aws_iam_role.lambda_s3_role.id}" policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::bucket-name"] }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": ["arn:aws:s3:::bucket-name/*"] } ] } EOF } resource "aws_iam_role" "lambda_s3_role" { name = "lambda_s3_role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.
REMOVE ROLE delete policy before delete role
aws iam list-roles aws iam list-role-policies --role-name api-executor aws iam delete-role-policy --role-name api-executor -policy-name "log-writer" aws iam delete-role --role-name pizza-api-executor ADD ROLE POLICY aws iam put-role-policy \ --role-name pizza-api-executor \ --policy-name PizzaApiDynamoDB \ --policy-document file://./roles/dynamodb.json You need to provide a path to dynamodb.json with the file:// prefix. If you are providing an absolute path, keep in mind that you will have three slashes after file:.