Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Note: Below are the steps to create Zilla-SSO-Reader-Role manually using AWS IAM console. Another option is to use AWS CloudFormation to create this role. To use AWS CloudFormation follow the steps - AWS CloudFormation For Creating Zilla-SSO-Reader-Role

Create an IAM Policy for SSO Users, Groups and Permission Set

Steps to create an IAM Policy Zilla-SSO-Reader-Policy

  1. Login to the Management Account of your AWS Organization AWS Management Console

    Image Added
  2. Navigate to the IAM dashboard.

    Image Added
  3. Click on Policies on the left hand side menu of the IAM dashboard.

...

  1. Image Added

  2. Click Create policy and click on the JSON tab.

    Image Added

  3. IAM Policy Creation: Enter the following json snippet and click Next: Tags. The following policy allows Zilla to read the SSO Users, Groups and Permission Sets information from your AWS account.

    Code Block
    {
        

...

  1. "Version": "2012-10-17",
        

...

  1. "Statement": [
    

...

  1.         {
                "Sid": "VisualEditor1",

...

  1. 
                "Effect": "Allow",
    

...

  1.             "Action": [
    

...

  1.                 "identitystore:Describe*",

...

  1. 
                    "identitystore:List*"

...

  1. 
                ],
                "Resource": "*"

...

  1. 
            }
        ]
    }

...

  1. Image Added

 

  1. Optionally add tags and click Next: Review.

    Image Added

  2. Review Policy: On the review page, enter the Name (Zilla-SSO-Reader-Policy) and optionally a description for the policy. Review the permissions assigned to the policy and then click Create policy. The policy will look like this:

    Image Added

     

  3. You will see a success message like this: 

...

  1. Image Added

  2. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.

    Image Added

     

  3. Click the policy Zilla-SSO-Reader-Policy to double check the assigned permissions. The policy will look like this:

    Click on the {} JSON tab to double check the policy json.

...

...

Now that you have created the policy, the next step is to create a cross account Role.

Create an IAM Role for SSO Users, Groups and Permission Set

Steps to create an IAM Role Zilla-SSO-Reader-Role

  1. Click Roles from the left hand side menu to begin.

    Image Modified

     

  2. Click Create role button to create a new IAM Role. Under Select

...

  1. trusted entity select

...

  1. AWS account and enter the 12 digit region sepcific Zilla’s Account ID

...

  1. (

...

  1. listed below). Select the Options checkbox for ‘Require external ID’ and enter External ID as your tenant’s domain name (For example: If your tenant’s domain name is example.com enter the External ID as example.com). , then click Next

...

  1. .

    • US region Account ID: 087210011007

    • EU region Account ID: 319105906071

    • Australia/New Zealand region Account ID: 868976368166

      Image Added

      Image Added

  2. On the

...

  1. Add Permissions page, search for AWSSSOReadOnly policy, and select the checkbox.

...

  1. Image Added

     

  2. Also search for the policy created above, Zilla-SSO-Reader-Policy, and select the checkbox. Then click Next

...

  1. .

...

  1. Image Added

...

Optionally add tags and click Next: Review.

...

 

...

  1.   

  2. On the Step 3 page, add the name of the role Zilla-SSO-Reader-Role and optionally add a description. Ensure the Trusted entities account id matches region specific Zilla’s account Id

...

  1. and that the Policies section contains Zilla-SSO-Reader-Policy, then click Create role

...

  1. .

    Image Added

...

  1. Image Added

     

  2. Once the role is created, you can search for it on the roles tab and click on the role to check its details.

    Image Modified

     

  3. On the role details page, double check the policy under Trust relationships tab that Trusted entities has

...

  1. region specific Zilla’s Account ID

...

  1. and your domain name as ExternalId condition.

    Image Modified

     

Info

Notes:

  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role and keep it handy for later.

  2. Typically organizations will have one MASTER AWS ACCOUNT under which they will setup multiple Users, Groups, Permission Sets and AWS Accounts. So it’s likely you will need to create the SSO Role and Policy creation only once against your MASTER AWS ACCOUNT.

  3. Currently, the IAM Role and Policy creation to bring in SSO Users, Groups and Permission Sets is optional in Zilla.