I will start by stating that I have no experience configuring cross account permissions.(trying to remedy that) I have set up a multi account infrastructure in AWS. I have a root account that has the SAML provider and it successfully allows me to connect to other child accounts. I have some CDK stacks setup in the child application accounts(dev, staging, production). When I try to deploy, I get an error stating that I don't have access to the SAML provider, which makes sense as the deployment is running against the dev account. Here is the relevant part of the stack in question...
const samlProvider = iam.SamlProvider.fromSamlProviderArn(this, "saml-provider", "arn:aws:iam::XXXXXX");
const endpoint = this.vpc.addClientVpnEndpoint('Endpoint', {
cidr: '10.10.0.0/16',
serverCertificateArn: this.domainCert.certificateArn,
userBasedAuthentication: ec2.ClientVpnUserBasedAuthentication.federated(samlProvider),
authorizeAllUsersToVpcCidr: true,
});
I believe I need to add an inline policy on the root account granting get access to the SAML provider, but I am not sure of the syntax. Any help figuring this out would be appreciated.
I was not sure what actions were needed so I just added all of the get permissions
I tried the following policy...
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetSamlProvider",
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": [
"arn:aws:iam::XXXXXXX"
]
}
]
}
I still get the same permissions error You do not have access to supplied SAML Provider arn.
