--- title: "Configuring IAM Roles in AWS" slug: "configuring-iam-roles-in-awsidentitycenter" updated: 2026-04-21T08:01:14Z published: 2026-04-21T08:01:14Z canonical: "docs.britive.com/configuring-iam-roles-in-awsidentitycenter" --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.britive.com/llms.txt > Use this file to discover all available pages before exploring further. # Configuring IAM Roles in AWS Britive needs the following access permissions in the AWS IAM role to successfully connect to AWS: - Access to read IAM policies - Access to AWS Organizations - Access to the IAM Identity Center Follow the steps below to create the custom policy and IAM role. ## Creating an IAM Policy in AWS Perform the following steps to create an IAM policy role in the Identity Center management AWS account: 1. Login to the AWS console with administrator privileges. 2. Open the IAM console. 3. Select **IAM** > **Access management** -> **Policies**. 4. Click **Create Policy**. 5. Select JSON and add the following policy: JSONJSON ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "identitystore:IsMemberInGroups", "identitystore:ListGroupMemberships", "iam:GetPolicyVersion", "organizations:ListRoots", "sso:ListTagsForResource", "sso:CreateAccountAssignment", "sso:ListCustomerManagedPolicyReferencesInPermissionSet", "identitystore:GetGroupMembershipId", "organizations:DescribeAccount", "organizations:ListChildren", "organizations:DescribeOrganization", "sso:ListInstances", "sso:DescribeAccountAssignmentDeletionStatus", "iam:ListPolicies", "sso:ListAccountAssignmentDeletionStatus", "sso:ListApplicationAssignmentsForPrincipal", "sso:ProvisionPermissionSet", "sso:DescribeApplication", "sso:DescribeAccountAssignmentCreationStatus", "iam:GetPolicy", "sso:DescribeInstance", "identitystore:ListUsers", "sso:DeleteAccountAssignment", "organizations:ListAccountsForParent", "sso:ListAccountAssignments", "sso:GetInlinePolicyForPermissionSet", "sso:ListManagedPoliciesInPermissionSet", "identitystore:CreateGroupMembership", "sso:DescribePermissionSetProvisioningStatus", "organizations:ListOrganizationalUnitsForParent", "identitystore:GetUserId", "sso:DescribeApplicationAssignment", "identitystore:DescribeUser", "sso:GetPermissionSet", "identitystore:GetGroupId", "identitystore:DescribeGroupMembership", "organizations:DescribeOrganizationalUnit", "identitystore:ListGroups", "sso:DescribePermissionSet", "sso:DeleteApplicationAssignment", "sso:ListPermissionSets", "organizations:ListTagsForResource", "sso:ListPermissionSetsProvisionedToAccount", "sso:CreateApplicationAssignment", "identitystore:ListGroupMembershipsForMember", "sso:ListAccountAssignmentCreationStatus", "organizations:ListAccounts", "iam:ListPolicyVersions", "sso:ListAccountsForProvisionedPermissionSet", "identitystore:DeleteGroupMembership", "identitystore:DescribeGroup", "sso:ListApplicationAssignments", "organizations:ListParents", "sso:ListAccountAssignmentsForPrincipal" ], "Resource": "*" } ] } ``` 6. Click **Next**. 7. Enter the policy name and description and click **Save**. ## Creating an IAM Role in AWS If you have an existing AWS application and role configured for it, you can add the above policy to the same role. Alternatively, you can create a separate role if needed by following the steps below. 1. Login to the AWS console with administrator privileges. 2. Open the IAM console. 3. Select **IAM > Access management -> Roles**. 4. Click **Create role**. 5. Enter the following in the **Create role**page: 1. Select **SAML 2.0 federation**. 2. Select the identity provider in **SAML 2.0-based provider,**added as explained in the section [Configuring Britive Identity Provider in AWS](/v1/docs/configuring-britive-identity-provider-in-aws). 3. Select **Allow programmatic access only**. 4. Enter the following for **Attribute** and **Value**fields: - **Attribute** : **SAML:aud**. - **Value**: [](https://signin.aws.amazon.com/saml) [](https://signin.aws.amazon.com/saml)[https://signin.aws.amazon.com/saml](https://signin.aws.amazon.com/saml) [](https://signin.aws.amazon.com/saml)[](https://signin.aws.amazon.com/saml) 5. Click **Next** 6. Enter the following on the **Add Permissions**page: 1. Search for the policy created in previous steps in **Filter policies.** 2. Click **Next.** 7. Enter the following values in the **Name, Review and Create** page: 1. Enter a **Role name**(64-character limit) that can include alphanumeric characters and special characters such as @ or *. 2. Enter a **Role description** (optional). 3. Click **Create role**. A message is displayed that the role is created. 6. Add the following actions in the trust relationship as shown in the example below. *SetSourceIdentity*is an optional field. Trust RelationshipTrust Relationship ```TrustRelationship {   "Version":"2012-10-17",   "Statement":[      {         "Effect":"Allow",         "Principal":{            "Federated":"arn:aws:iam:::saml-provider/Britive"         },         "Action":[            "sts : AssumeRolewithSAML",             "sts : SetSourceIdentity"         ],         "Condition":{            "StringEquals":{               "SAML: aud":"https://signin.aws.amazon.com/saml"            }         }      }   ] } ``` 7. You can select the newly-created IAM role from the role list for the AWS account and view the role details from the **Summary** page. Note that the **Maximum session duration** value displayed in the **Summary** page is used when configuring the role properties within the Britive tenant.

Now that you have completed the onboarding prerequisites, you can choose to onboard AWS Identity Center applications per your requirement and proceed with the onboarding process.

For more information about creating a role in AWS, see Creating a role for SAML 2.0 federation.