Is there a way to condition an AWS IAM role service integration on the app id or name?

Posit Professional & Hosted Products Posit Connect
1

I've setup an AWS service integration (oauth2), and I can see that any publisher can use the integration for their app. I'm wondering if there is an OIDC claim I could use to limit the IAM Roles permissions per app, e.g.
App 1 > can read s3 bucket 1
App 2 > can read s3 bucket 2

Is there an OIDC field/claim whose value is unique per app that I could condition on, similar to how the trust policy is conditioned on
"Condition": {
"StringEquals": {
"molgen-shiny.org/:aud": "connect-content"
}
}
Thanks!

2

Hi Matthew,

Thanks for the question. There isn't a way to do what you're asking today, but it's an interesting idea. In the meantime, creating separate roles and separate corresponding integrations in Connect is probably the best path forward.

1 Like