This project is related to managing AWS resource configuration & deployment for Iliyan's personal AWS account.
TODO: Repository contains the agreed folder structure that the project should contain. Each folder reflects an Azure resource. Please remove unnecessary folders from the repository.
TODO: Guide users through getting your code up and running on their own system. In this section you can talk about:
- Installation process
- Software dependencies
- Latest releases
- API references
TODO: Describe and show how to build your code and run the tests.
TODO: Explain how other users and developers can contribute to make your code better.
If you want to learn more about creating good readme files then refer the following guidelines. You can also seek inspiration from the below readme files:
Manually create AWS Identiy Center and associate it as a service provider to the Azure AD (Entra ID) from the Backsy tenant
source: Microsoft doc page
- Enable IAM Identity Center
- Go to Azure > Entra ID > Enterprise Apps > New application > Type AWS IAM Identity Center (successor to AWS Single Sign-On) > Type a name like
AWS SSO - Alient <last 4 numbers of your AWS account ID >
> Click Create - After that, you need to establish a trust relationship between Entra ID and IAM Identity Center. First go to your newly created Enterprise App > Signle sign-on > Click on
SAML
. - Then on the SAML page, click the pencil icon
Edit
forBasic SAML config
- Click on the button
Upload metadata file
- Now on the AWS Identity Center side, click on
Customize AWS access portal
URL part and paste the subdomain, that should follow the same domain standards as the rest of the other AWS personal accounts:portal-alien-aws
- Click on
Identity source
> Actions > Change Identity source > ChooseExternal identity provider
> Also please copy on the AWS sideAWS access portal sign-in URL
part and paste it along after you upload the metadata file on the Azure side namedSign on URL (Optional)
- Now go back to the Azure SAML config page and click on the button
Upload metadata file
and choose the one that AWS SSO you downloaded to - Now go back to Azure SAML, and go to
SAML Certifiacte
to download theFederation Metadata XML
file, which then you can upload it on the AWS side underIdP SAML metadata
- Click Next > Type
Accept
- Next go back to Azure Side and go to
Provisioning
for SCIM sync between Azure AD users and AWS IAM users - Choose on the
Povisioning mode
beingAutomatic
and paste the folowing creds:
- Tenant URL = AWS side
SCIM endpoint
Automatic provisioning - Seret Token: = AWS side
Access token
- You can generate that when you go back to AWS Identity Center > Identity Source > Actions > Manage Provisioning > Generate token
- Now it's time to add users into the Azure provisioning > Click on Users > Click add > Type BTG
- And finally go back to the
Provisioning page
and clickStart proisioning
- Go to permissionsets on the AWS side and add the following:
- Policy for predefined permission set> Select an AWS managed policy > AdministratorAccess
- Name:
BreakingTheGlass-Administrator
- Description:
Admin privilege for emergency
- Next go to
AWS accounts
> Assign users or groups - Link the BTG to the created permissionsets
- Voalla, you are ready!