Skip to main content
Version: v4.17

SSO for Amazon S3

Enable SSO login on your S3 data endpoint

To enable SSO login for your S3 data repository:

  1. In the Cyral control plane UI, go to Data Repos ➡️ click the name of your S3 repository ➡️ Config ➡️ Authentication
  2. Disable the toggle Allow native authentication
  3. Under Select a user authentication method, select Cyral Access Token
  4. Choose your Identity Provider from the drop-down box and click Save
  5. Under Policy Enforcement, enable Enable policy enforcement and Block on violations and click Save

Proceed to the next section to add IAM roles.

Provide the IAM roles needed for accessing S3

To make S3 requests, the sidecar assumes an IAM role (known as a local account in Cyral) that you have assigned to the SSO user. Follow the steps below to set this up.

tip

For more information on IAM role settings see Make AWS IAM role settings, below.

  1. In the Cyral control plane UI, go to Data Repos ➡️ click the name of your S3 repository ➡️ Access Rules

  2. Specify the IAM roles that will provide your users access to S3. (In the next section, you will map SSO users or groups to the IAM roles you've specified here.) Here, provide the:

    • Role ARN
    • List of buckets this role is allowed to access
    • Toggle on Auto Approval if needed.
  3. Click Track.

Proceed to the next section to map users to IAM roles.

Map an SSO user or group to an IAM Role

When a user authenticates, they are mapped to one or more IAM roles to access S3. This mapping is based on their SSO username and and their membership in SSO groups. A user will often be mapped to multiple IAM roles and, at the time of accessing a bucket, they will pick the IAM role they need in order to operate on the bucket they want.

Set up the mappings as follows:

  1. In the Repositories page, click Identity to Account Map and click the ➕ (plus sign).
  2. Choose User or Group as the identity type.
  3. In the Identity field, specify the SSO user name or group name as it's written in your identity service.
  4. In the Local Account field, choose the name of the IAM role.
  5. In the Duration field, set a length of validity for the access, or click Unlimited to grant access that will not expire automatically.
  6. Click Create.

Repeat this procedure to map more IAM roles, and keep in mind that you can map one SSO user or group to many IAM roles.

Once your mappings are complete, proceed to the next section to set up trust relationships between IAM roles.

Make AWS IAM role settings

It is important to make sure that the IAM role associated with the sidecar is trusted by the IAM roles used for managing S3.

Find your sidecar host role

After deploying the sidecar, the IAM role associated with the sidecar is created with name <sidecar-cft-stack-name>SidecarHostRole-*

Below is an example sidecar host role created for a sidecar with stack name jc-t01

> aws iam list-roles
// Sidecar Role
{
"Path": "/",
"RoleName": "jc-t01-SidecarHostRole-MOVF2C5ORWCY",
"RoleId": "AROA2TGP77HETTOXZZB46",
"Arn": "arn:aws:iam::<accountId>:role/jc-t01-SidecarHostRole-MOVF2C5ORWCY",
"CreateDate": "2020-12-22T23:58:42Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "",
"MaxSessionDuration": 3600
},

Create suitable IAM roles for S3 access and establish trust with the sidecar's role

The various roles and the extent of permissions for each role is up to your organization. In the below example, we show two roles SidecarReadOnlyRole and SidecarS3FullAccess. There is a trust relationship between these roles and the SidcarHostRole. This trust relationship allows sidecar to assume these roles.

Role with read-only access:

// S3 Access Read-Only
{
"Path": "/",
"RoleName": "SidecarReadOnlyRole",
"RoleId": "AROA2TGP77HEZGE2FX3G4",
"Arn": "arn:aws:iam::<accountId>:role/SidecarReadOnlyRole",
"CreateDate": "2020-12-14T18:48:08Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
// ARN of the sidecar IAM role
"AWS":"arn:aws:iam::<accountid>:role/jc-t01-SidecarHostRole-MOVF2C5ORWCY"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows EC2 instances to call AWS services on your behalf.",
"MaxSessionDuration": 3600
}

Role with full access:

// S3 Role Full Access
{
"Path": "/",
"RoleName": "SidecarS3FullAccess",
"RoleId": "AROA2TGP77HEYZQT3DH4A",
"Arn": "arn:aws:iam::<accountId>:role/SidecarS3FullAccess",
"CreateDate": "2020-12-14T18:48:32Z",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
// ARN of the sidecar IAM role
"AWS": "arn:aws:iam::<accountId>:role/jc-t01-SidecarHostRole-MOVF2C5ORWCY"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows EC2 instances to call AWS services on your behalf.",
"MaxSessionDuration": 3600
}

By having the sidecar role as a trusted entity for your S3 management roles, you are allowing the sidecar to assume these custom roles, when required, for connecting to the S3 servers when handling SSO connections.

This information can also be edited in your AWS Console in the IAM: Roles section.

Next steps

Users can begin connecting to S3 as shown here: