I'm working with an external customer who needs to assume a role in my AWS account. However, I've run into an issue because the AWS console doesn't support using an external ID for role assumption. This means I can't include the external ID condition for the role in my account, and I'm relying entirely on the IAM role ARN from the external customer. I'm concerned about the potential risks associated with this setup, particularly regarding the 'confused deputy' problem. Is this approach risky, and are there better methods to manage access securely?
1 Answer
What exactly do they need access to? If it's just the AWS console, have you thought about setting them up as an IAM Identity Center user through your identity provider instead? It could make things easier for management.
They're looking for access to the Cost Explorer in an account where they're the tenant, but we manage that AWS account for them. I figured using an IAM role for access would be simpler.