IAM Roles Anywhere provides you with the capability to define a custom set of mapping rules, enabling you to specify which data are extracted from authenticating certificates as session tags for authorization policies. These customized attribute mappings are associated with a profile.
The data elements are referred as attributes and can be sourced from known resource from the certificate. Specifiers are used to represent one or more attributes.
Topics
Default mapping behavior
The following attributes are mapped by default when you create a profile. The default mapping rules are as follows:
-
x509Subject: maps all supported Relative Distinguished Names (RDNs) from an authenticating certificate's Subject into distinctPrincipalTagelements in the session. -
x509Issuer: maps all supported Relative Distinguished Names (RDNs) from an authenticating certificate's Issuer into distinctPrincipalTagelements in the session. -
x509SAN (Subject Alternative Name): maps the first value of the following types:DNS Names,Directory Name (DN), andURI Names
To view your current mappings associated with a profile, using the following command:
$aws rolesanywhere get-profile --profile-idPROFILE_ID
Default mapping rules in a JSON format:
"attributeMappings": [
{
"mappingRules": [
{
"specifier": "*"
}
],
"certificateField": "x509Issuer"
},
{
"mappingRules": [
{
"specifier": "DNS"
},
{
"specifier": "URI"
},
{
"specifier": "Name/*"
}
],
"certificateField": "x509SAN"
},
{
"mappingRules": [
{
"specifier": "*"
}
],
"certificateField": "x509Subject"
}
]Note
If you see * as a specifier, it signifies the default behavior, which maps all
recognizable RDNs for x509Subject, x509Issuer and x509SAN/Name.
However, * does not have a defined behavior in the context of x509SAN/URI,
x509SAN/DNS, or x509SAN/. The specifier Name/
represents the first recognizable attribute of the Directory Name. Both
Name and Name/ are equivalent to Name/* and
will be displayed as Name/*in the mapping rule.
