AWS Role Access

Serval can be configured to give users time-bound access to specific AWS roles. Roles must be configured for ingestion into Serval, and provided with a policy that allows the role to be assumed using an OIDC token which will be generated by your identity provider.

Ingestion Configuration

Perform the following setup for each AWS account for which Serval will ingest roles and facilitate access.

AWS Account Ingestion Role configuration

Follow the guide to add give Serval access to an AWS role in your account.
Once the role is created, navigate to permissions and select “Create inline policy”\

Add the following permission policy. These permissions are required to be able to properly ingest all the data we require:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoleTags",
        "iam:ListRoles",
        "iam:ListRolePolicies",
        "iam:ListAttachedRolePolicies",
        "iam:GetRolePolicy",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters",
        "ec2:DescribeInstances",
        "eks:DescribeCluster",
        "eks:ListClusters"
      ],
      "Resource": "*"
    }
  ]
}

Facilitating Access to Specific AWS Roles

Create a new OIDC application

Add the OIDC application as an identity provider in AWS

Configure AWS roles so that Serval can grant temporary access to them

For each role / account that you wish Serval to ingest and facilitate access for, you will need to do the following.
Add a “serval” tag to the role. The key is “serval”, the value can be empty.
Attach any polices that you wish to be granted when the role is granted to a user.

Attach the following trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::${ACCOUNT_ID}:oidc-provider/${IDP_ISSUER_URL}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "${IDP_ISSUER_URL}:aud": "${SERVAL_OIDC_APP_CLIENT_ID}"
                }
            }
        }
    ]
}

The values are as follows:
- ACCOUNT_ID — The ID of the current AWS account being configured.
- IDP_ISSUER_URL — The URL of your IdP instance which was configured as an identity provider above.
- SERVAL_OIDC_APP_CLIENT_ID — The Client ID of the application created in your IdP.

So for example, the policy may look like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::879395235829:oidc-provider/your-domain.okta.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "your-domain.okta.com:aud": "0oakcaaw2r3Cm0ICB1d7"
                }
            }
        }
    ]
}

Overview

Ticketing

Workflows

Access Management

CLI

Ingestion Configuration

Facilitating Access to Specific AWS Roles

Overview

Ticketing

Workflows

Access Management

CLI

​Ingestion Configuration

​Facilitating Access to Specific AWS Roles

Ingestion Configuration

Facilitating Access to Specific AWS Roles