Guides
sevco.io
Start typing to search…

AWS Identity Center

About

Amazon Identity Center (successor to AWS Single Sign-On) helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications.

Why You Should Integrate

This integration will provide visibility into your AWS Identity Center users within Sevco.

How Does the Integration Work

This integration pulls all users from a given AWS Identity Store (the user store that back AWS Identity Center)

This data is only used internally; we do not share it with any parties outside of Sevco. Refer to our privacy policy for details.

⚠️

If you haven't already, please review our instructions for configuring the AWS integration before proceeding with the instructions below.

Configuration Options

FieldDescriptionExample
Identity Store ID*The ID of the Identity Store to pull users fromd-1234567890
Region*The AWS Region that the Identity Store is hosted inus-east-1

External Documentation

Creating Credentials

Access Key ID/Secret Access Key Schemas

See platform documentation for details on AWS - Creating credentials

Assume Role Schemas

You'll be required to configure a AWS role for Sevco to assume to connect to AWS. Please contact Sevco Support for the full details on creating and configuring your AWS roles.

Create a new role that will be assumed by Sevco to interact with your AWS account. Use the following JSON to create your trust policy. Sevco Support will provide your sts:ExternalId to replace the 11111111-1111-1111-1111-111111111111 value and the Sevco account ID to replace 123456789010.

Sample IAM Assume Role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789010:role/Sevco_USProd_IAMAssetCollection"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "11111111-1111-1111-1111-111111111111"
                }
            }
        }
    ]
}

AWS CloudFormation Templates

If you would like to automate creating an assumable role for multiple accounts in your AWS organization, you can do so using a CloudFormation template.

See the CloudFormation template below:

AWSTemplateFormatVersion: '2010-09-09'
  Description: CloudFormation template to create an Identity Center asset collection role that can be assumed by a specific role with an ExternalId condition.

  Parameters:
  RoleName:
    Type: String
    Description: Name of the IAM role to create.
    Default: SevcoAssumableRole
    MinLength: 1
    MaxLength: 64
  TrustedAccountNumber:
    Type: String
    Description: The AWS account hosting the role that will allowed to assume the collection role in your account.
  ExternalId:
    Type: String
    Description: The ExternalId required for assuming the role.

  Resources:
  AssumableIdentityCenterRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref RoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${TrustedAccountNumber}:role/Sevco_USProd_IAMAssetCollection'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      Policies:
        - PolicyName: SevcoIdentityCenterAssetCollectionPolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'identitystore:ListGroupMemberships'
                  - 'identitystore:ListGroups'
                  - 'identitystore:ListUsers'
                Resource: '*' # Or the ARN for whatever Identity Store ID you want to read from
      MaxSessionDuration: 3600 # Session duration in seconds (1 hour)

  Outputs:
  RoleArn:
    Description: ARN of the created IAM role
    Value: !GetAtt AssumableIdentityCenterRole.Arn
  RoleName:
    Description: Name of the created IAM role
    Value: !Ref AssumableIdentityCenterRole

Required Permissions

Your IAM user (Access Key ID/Secret) or newly created role (AssumeRole) should use a permission policy with at least the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              	"identitystore:ListGroupMemberships",
                "identitystore:ListGroups",
                "identitystore:ListUsers"
            ],
            "Resource": "*" // Or the ARN for whatever Identity Store ID you want to read from
        }
    ]
}

Contact Us

If you're having problems integrating a source, or if you've found something wrong in this document, please email us at [email protected].

Updated 3 days ago