Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Steps to create an IAM Policy Zilla-SSO-Reader-Policy

  1. Login to the Management Account of your AWS Organization AWS Management Console

    Image Modified
  2. Navigate to the IAM dashboard.

    Image Modified
  3. Click on Policies on the left hand side menu of the IAM dashboard.

    Image Modified

  4. Click Create policy and click on the JSON tab.

    Image Modified

  5. IAM Policy Creation: Enter the following json snippet and click Next: Tags. The following policy allows Zilla to read the SSO Users, Groups and Permission Sets information from your AWS account.

    Code Block
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor1",
                "Effect": "Allow",
                "Action": [
                    "identitystore:Describe*",
                    "identitystore:List*"
                ],
                "Resource": "*"
            }
        ]
    }

    Image Modified

  6. Optionally add tags and click Next: Review.

    Image Modified

  7. Review Policy: On the review page, enter the Name (Zilla-SSO-Reader-Policy) and optionally a description for the policy. Review the permissions assigned to the policy and then click Create policy. The policy will look like this:

    Image Modified

     

  8. You will see a success message like this: 

    Image Modified

  9. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.

    Image Modified

     

  10. Click the policy Zilla-SSO-Reader-Policy to double check the assigned permissions. The policy will look like this:

    Click on the {} JSON tab to double check the policy json.

...

Now that you have created the policy, the next step is to create a cross account Role.

...

Steps to create an IAM Role Zilla-SSO-Reader-Role

  1. Click Roles from the left hand side menu to begin.

    Image Modified

     

  2. Click Create role button to create a new IAM Role. Under Select trusted entity select AWS account and enter the 12 digit region sepcific Zilla’s Account ID

...

  1. (

...

  1. listed below). Select the Options checkbox for ‘Require external ID’ and enter External ID as your tenant’s domain name (For example: If your tenant’s domain name is example.com enter the External ID as example.com). , then click Next.

...

    • US region Account ID: 087210011007

    • EU region Account ID: 319105906071

    • Australia/New Zealand region Account ID: 868976368166

      Image Added

      Image Modified

  1. On the Add Permissions page, search for AWSSSOReadOnly policy, and select the checkbox.

    Image Modified

     

  2. Also search for the policy created above, Zilla-SSO-Reader-Policy, and select the checkbox. Then click Next.

    Image Modified

      

  3. On the Step 3 page, add the name of the role Zilla-SSO-Reader-Role and optionally add a description. Ensure the Trusted entities account id matches region specific Zilla’s account Id

...

  1. and that the Policies section contains Zilla-SSO-Reader-Policy, then click Create role.

    Image Modified

    Image Modified

     

  2. Once the role is created, you can search for it on the roles tab and click on the role to check its details.

    Image Modified

     

  3. On the role details page, double check the policy under Trust relationships tab that Trusted entities has

...

  1. region specific Zilla’s Account ID

...

  1. and your domain name as ExternalId condition.

    Image Modified

     

Info

Notes:

  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role and keep it handy for later.

  2. Typically organizations will have one MASTER AWS ACCOUNT under which they will setup multiple Users, Groups, Permission Sets and AWS Accounts. So it’s likely you will need to create the SSO Role and Policy creation only once against your MASTER AWS ACCOUNT.

  3. Currently, the IAM Role and Policy creation to bring in SSO Users, Groups and Permission Sets is optional in Zilla.