Values for AWS STS APIs with SAML and Web Identity Federation

AWS CloudTrail supports logging AWS Security Token Service (AWS STS) API calls made with Security Assertion Markup Language (SAML) and web identity federation. When a call is made to the AssumeRoleWithSAML and AssumeRoleWithWebIdentity APIs, CloudTrail records the call and delivers the event to your Amazon S3 bucket.

The userIdentity element for these APIs contains the following values.

type
The identity type.

  • SAMLUser – The request was made with SAML assertion.
  • WebIdentityUser – The request was made by a web identity federation provider.
principalId
A unique identifier for the entity that made the call.

  • For SAMLUser, this is a combination of the saml:namequalifier and saml:subkeys.
  • For WebIdentityUser, this is a combination of the issuer, application ID, and user ID.
userName
The name of the identity that made the call.

  • For SAMLUser, this is the saml:sub key. See Available Keys for SAML-Based Federation.
  • For WebIdentityUser, this is the user ID. See Available Keys for Web Identity Federation.
identityProvider
The principal name of the external identity provider. This field appears only for SAMLUser or WebIdentityUser types.

  • For SAMLUser, this is the saml:namequalifier key for the SAML assertion.
  • For WebIdentityUser, this is the issuer name of the web identity federation provider. This can be a provider that you configured, such as the following:
    • cognito-identity.amazon.com for Amazon Cognito
    • www.amazon.com for Login with Amazon
    • accounts.google.com for Google
    • graph.facebook.com for Facebook

The following is an example userIdentity element for theAssumeRoleWithWebIdentity action.

Leave a Reply

Your email address will not be published. Required fields are marked *