Access Management
AWS Role Access
Serval can be configured to give users time-bound access to specific AWS roles.
Roles must be configured for ingestion into Serval, and provided with a policy that allows the role to be assumed using an OIDC token which will be generated by your identity provider.
Ingestion Configuration
Perform the following setup for each AWS account for which Serval will ingest roles and facilitate access.AWS Account Ingestion Role configuration
AWS Account Ingestion Role configuration
- Follow the guide to add give Serval access to an AWS role in your account.
-
Once the role is created, navigate to permissions and select “Create inline policy”
.png)
-
Add the following permission policy. These permissions are required to be able to properly ingest all the data we require:
Facilitating Access to Specific AWS Roles
Create a new OIDC application
Create a new OIDC application
- The following steps are for creating a new OIDC application in Okta, but any OIDC provider can be used.
- Visit the Okta Admin portal > Applications > Create App Integration
.png)
- Ensure it is an OIDC web application:
.png)
- Configure the correct URLs for sign-in redirect and logout. These should point to https://svflow-oidc.api.serval.com/oidc/auth/callback and https://svflow-oidc.api.serval.com/oidc/auth/logout respectively.
- Configure assignment:
.png)
- Once the application is saved, you will have a Client ID and Client Secret value:
.png)
- You will now need to add these values to Serval.
- Navigate to the AWS application instance in the Serval UI.
- Ensure that you have enabled “Access Management” functionality for the AWS application instance.
- In “Access Management” settings, select “Configure” next to “OIDC Provider”.
- Add the values from Okta to Serval. For Okta, ensure that the OIDC issuer URL is
https://<your-okta-domain>.okta.com/oauth2, as this is the correct Okta endpoint for OIDC authentication.
Add the OIDC application as an identity provider in AWS
Add the OIDC application as an identity provider in AWS
- You will need to do this for each account which has roles you want accessible via Serval.
- Visit IAM > Identity Providers.
- Select “Add Provider” and configure the provider accordingly:
- The provider URL will be your OIDC host URL.
- The audience will be the Client ID of the OIDC application created previously.
Configure AWS roles so that Serval can grant temporary access to them
Configure AWS roles so that Serval can grant temporary access to them
- For each role / account that you wish Serval to ingest and facilitate access for, you will need to do the following.
- Add a “serval” tag to the role. The key is “serval”, the value can be empty.
- Attach any polices that you wish to be granted when the role is granted to a user.
-
Attach the following trust policy:
-
The values are as follows:
ACCOUNT_ID— The ID of the current AWS account being configured.IDP_ISSUER_URL— The URL of your IdP instance which was configured as an identity provider above.SERVAL_OIDC_APP_CLIENT_ID— The Client ID of the application created in your IdP.
-
So for example, the policy may look like this: