You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Default IAM Identity Center Roles

The Science Cloud provides three default IAM Identity Center managed roles, which are automatically available in all tenant accounts:

Role NameAWS Managed Policy
Tenant-Full-Read-OnlyReadOnlyAccess
Tenant-Project-Power-UsersPowerUserAccess
Tenant-Project-AdminsAdministratorAccess

Reference Links: To view the specific permissions granted by these policies, refer to the official AWS documentation:

Important Notes on Default Roles

  • Naming Convention: The {Tenant} prefix in the role name is uniquely generated for every tenant account.
  • ARN Suffix: The Amazon Resource Name (ARN) for the IAM role includes a randomized suffix that is unique to each account.
  • Access Management: The user groups corresponding to each role are managed in the Science Cloud's Entra ID identity provider. Initial membership for these groups is established during your account's creation or migration.
  • Membership Changes: If you need to add or remove members from these groups, please open a support ticket with the Science Cloud.
  • Security Enforcement: To ensure compliance with Multi-Factor Authentication (MFA) security policies, creating new IAM users is strictly prohibited in tenant accounts. All permissions must be managed using IAM roles.

Custom Tenant Identity Center Roles

Some tenants have specific business requirements that necessitate creating custom Identity Center managed roles. These custom roles allow users to log in or interact with the AWS API using a highly tailored set of permissions.

While the Science Cloud fully supports custom role creation, we recommend a hybrid approach to minimize your ongoing dependence on the Science Cloud support desk. This approach allows you to manage fine-grained user and role policies directly within your own tenant account.

How the Hybrid Approach Works:

  1. Initial Provisioning: The Science Cloud uses Infrastructure as Code (IaC) to create a new, custom Identity Center managed role for your tenant.
  2. Entra ID Integration: We create a new Entra ID group and link it to this role to manage who has access.
  3. Secure Access: The role immediately becomes available to group members through the AWS Access Portal, fully protected by MFA authentication.
  4. AssumeRole Restriction: For security and delegation, the newly created role only has permission to perform an sts:AssumeRole action. This action is limited to a specific subset of account roles, designated by a wildcard prefix in the IAM resource name.
  5. Tenant Autonomy: Once this framework is set up, the tenant has the freedom to create and manage their own additional roles, inline policies, attached policies, and selective trust policies for specific user/role mappings as they see fit.
  • No labels