In our AWS accounts we use an Identity Provider to log in (console, cli) with IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). We have federated IAM Roles like Developer, ReadOnly, FullAdmin. I mention that it is only human operators (not other AWS services) that use these roles.
From the IAM Role Trusted Entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::[aws-account-id]:saml-provider/[idp-name]"
},
"Action": "sts:AssumeRoleWithSAML"
}
]
}
My questions:
- I would like to find/see at a given moment (current or past) the IDP users who assumed a specific IAM role (for example ReadOnly). The command
aws sts get-caller-identityshows only the information of my session:
aws sts get-caller-identity
{
"UserId": "AROAVZJJ5J7KYGVGP3XAG:[email protected]",
"Account": "[aws-account-id]",
"Arn": "arn:aws:sts::[aws-account-id]:assumed-role/ReadOnly/[email protected]"
}
- Which event name in CloudTrail could I use to find this information?
Thank you.