Info |
---|
Note: Below are the steps to create |
Create an IAM Policy for SSO Users, Groups and Permission Set
Steps to create an IAM Policy Zilla-SSO-Reader-Policy
Login to the Management Account of your AWS Organization AWS Management Console
Navigate to the IAM dashboard.
Click on Policies on the left hand side menu of the IAM dashboard.
Click
Create policy
and click on theJSON
tab.IAM Policy Creation: Enter the following
json
snippet and clickNext: Tags
. The following policy allows Zilla to read the SSO Users, Groups and Permission Sets information from your AWS account.Code Block { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "identitystore:Describe*", "identitystore:List*" ], "Resource": "*" } ] }
Optionally add tags and click
Next: Review
.Review Policy: On the review page, enter the Name (
Zilla-SSO-Reader-Policy
) and optionally a description for the policy. Review the permissions assigned to the policy and then clickCreate policy
. The policy will look like this:You will see a success message like this:
To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.
Click the policy
Zilla-SSO-Reader-Policy
to double check the assigned permissions. The policy will look like this:Click on the
{} JSON
tab to double check the policy json.
...
Now that you have created the policy, the next step is to create a cross account Role.
Create an IAM Role for SSO Users, Groups and Permission Set
Steps to create an IAM Role Zilla-SSO-Reader-Role
Click Roles from the left hand side menu to begin.
Click
Create role
button to create a new IAM Role. Under Select type of trusted entity selectAnother AWS account
and enter the 12 digit Account ID of Zilla (087210011007). Select the Options checkbox for ‘Require external ID’ and enter External ID as your tenant’s domain name (For example: If your tenant’s domain name isexample.com
enter the External ID as example.com). , then clickNext: Permissions
.On the permissions Add Permissions page, search for AWSSSOReadOnly policy, and select the checkbox.
Also search for the policy created above,
Zilla-SSO-Reader-Policy
, and select the checkbox. Then clickNext: Tags
.Optionally add tags and click
Next: Review
.- On the review
On the Step 3 page, add the name of the role
Zilla-SSO-Reader-Role
and optionally add a description. Ensure the Trusted entities account id matches Zilla’s account Id (087210011007) and that the Policies section containsZilla-SSO-Reader-Policy
, then clickCreate role
d.Once the role is created, you can search for it on the roles tab and click on the role to check its details.
On the role details page, double check the policy under Trust relationships tab that Trusted entities has Zilla Account ID (087210011007) and your domain name as ExternalId condition.
Info |
---|
Notes:
|