Configuring IAM Roles in AWS
    • PDF

    Configuring IAM Roles in AWS

    • PDF

    Article summary

    Britive needs the following access permissions in the AWS IAM role to successfully connect to AWS:

    • Access to read IAM policies 
    • Access to AWS Organizations
    • Access to the IAM Identity Center 

    Follow the steps below to create the custom policy and IAM role. 

    Creating an IAM Policy in AWS

    Perform the following steps to create an IAM policy role in the Identity Center management AWS account:  

    1. Login to the AWS console with administrator privileges. 
    2. Open the IAM console.
    3. Select IAM > Access management -> Policies.
    4. Click Create Policy
    5. Select JSON and add the following policy:
      JSON
      { 
      "Version": "2012-10-17",
      "Statement": [
      { 
      "Sid": "VisualEditor0", 
      "Effect": "Allow", 
      "Action": [ 
      "iam:GetPolicyVersion", 
      "identitystore:IsMemberInGroups", 
      "identitystore:ListGroupMemberships", 
      "identitystore:DescribeUser", 
      "sso:DescribePermissionsPolicies", 
      "sso:ListTagsForResource", 
      "organizations:ListRoots", 
      "sso:ListCustomerManagedPolicyReferencesInPermissionSet", 
      "identitystore:GetGroupMembershipId", 
      "organizations:DescribeAccount",
      "sso:GetPermissionSet",
      "organizations:ListChildren",
      "identitystore:GetGroupId",
      "organizations:DescribeOrganization",
      "identitystore:DescribeGroupMembership",
      "organizations:DescribeOrganizationalUnit",
      "sso:ListInstances",
      "identitystore:ListGroups",
      "sso:DescribePermissionSet",
      "sso:DescribeAccountAssignmentDeletionStatus",
      "sso:ListAccountAssignmentDeletionStatus",
      "iam:ListPolicies",
      "sso:ListPermissionSets",
      "sso:ListPermissionSetsProvisionedToAccount",
      "sso:DescribeAccountAssignmentCreationStatus",
      "organizations:ListTagsForResource",
      "iam:GetPolicy",
      "sso:DescribeInstance",
      "sso:GetPermissionsPolicy",
      "identitystore:ListUsers",
      "sso:ListAccountAssignmentCreationStatus",
      "identitystore:ListGroupMembershipsForMember",
      "organizations:ListAccountsForParent",
      "sso:ListAccountAssignments",
      "organizations:ListAccounts",
      "sso:ListAccountsForProvisionedPermissionSet",
      "sso:GetInlinePolicyForPermissionSet",
      "iam:ListPolicyVersions",
      "sso:ListManagedPoliciesInPermissionSet",
      "identitystore:DeleteGroupMembership",
      "identitystore:CreateGroupMembership",
      "identitystore:DescribeGroup", 
      "organizations:ListParents", 
      "organizations:ListOrganizationalUnitsForParent", 
      "identitystore:GetUserId" 
      ], 
      "Resource": "*" 
      } 
      ] 
      } 
    6. Click Next.
    7. Enter the Policy name and description and Click Save.

    Creating an IAM Role in AWS

    If you have an existing AWS application and role configured for it, you can add the above policy to the same role. Alternatively, you can create a separate role if needed by following the steps below.

    1. Login to the AWS console with administrator privileges. 
    2. Open the IAM console. 
    3. Select IAM > Access management -> Roles.
    4. Click Create role
    5. Enter the following in the Create role page:
      1. Select SAML 2.0 federation.
      2. Select the identity provider in SAML 2.0-based provider, added as explained in the section Configuring Britive Identity Provider in AWS.
      3. Select Allow programmatic access only.
      4. Enter the following for Attribute and Value fields: 
      5. Click Next
      6. Enter the following on the Add Permissions page:
        1. Search for the policy created in previous steps in Filter policies.
        2. Click Next.

      7. Enter the following values in the Name, Review and Create page:
        1. Enter a Role name (64 characters limit) that can include alphanumeric characters and special characters such as @ or *.
        2. Enter a Role description (optional).
        3. Click Create role. A message is displayed that the role is created.
    6. You can select the newly-created IAM role from the role list for the AWS account and view the role details from the Summary page. Note that the Maximum session duration value displayed in the Summary page is used when configuring the role properties within the Britive tenant.

    Now that you have completed the onboarding prerequisites, you can choose to onboard AWS Identity Center applications per your requirement and proceed with the onboarding process. 

    For more information about creating a role in AWS, see Creating a role for SAML 2.0 federation.


    Was this article helpful?