Create an IAM Policy for SSO Users, Groups and Permission Set
Steps to create an IAM Policy
Click on Policies on the left hand side menu of the IAM dashboard.
Click
Create policy
and click on theJSON
tab.IAM Policy Creation: Enter the following
json
snippet and clickNext: Tags
. The following policy allows Zilla to read the SSO Users, Groups and Permission Sets information from your AWS account{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "identitystore:Describe*", "identitystore:List*" ], "Resource": "*" } ] }
Optionally add tags and click
Next: Review
.Review Policy: On the review page, enter the Name (
Zilla-SSO-Reader-Policy
) and optionally a description for the policy. Review the permissions assigned to the policy and then clickCreate policy
. The policy will look like this:You will see a success message like this:
To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.
Click the policy
Zilla-SSO-Reader-Policy
to double check the assigned permissions. The policy will look like this:Click on the
{} JSON
tab to double check the policy json.
Now that you have created the policy, the next step is to create a cross account Role.
Create an IAM Role for SSO Users, Groups and Permission Set
Steps to create an IAM Role
Click Roles from the left hand side menu to begin.
Click
Create role
button to create a new IAM Role. Under Select type of trusted entity selectAnother AWS account
and enter the 12 digit Account ID of Zilla (087210011007). Select the Options checkbox for ‘Require external ID’ and enter External ID as your tenant’s domain name, then clickNext: Permissions
.On the permissions page, search for AWSSSOReadOnly policy, and select the checkbox.
Also search for the policy created ,
Zilla-SSO-Reader-Policy
, and select the checkbox. Then clickNext: Tags
.Optionally add tags and click
Next: Review
.On the review page, add the name of the role
Zilla-SSO-Reader-Role
and optionally add a description. Ensure the Trusted entities account id matches Zilla’s account Id (087210011007) and that the Policies section containsZilla-SSO-Reader-Policy
, then clickCreate role
d.Once the role is created, you can search for it on the roles tab and click on the role to check its details.
On the role details page, double check the policy under Trust relationships that Trusted entities has Zilla Account ID (087210011007) and your domain name as ExternalId condition.
Notes:
Copy the Role ARN. For example:
arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role
and keep it handy for later.Typically organizations will have one MASTER AWS ACCOUNT under which they will setup multiple Users, Groups, Permission Sets and AWS Accounts. So it’s likely you will need to create the SSO Role and Policy creation only once against your MASTER AWS ACCOUNT.
Currently, the IAM Role and Policy creation to bring in SSO Users, Groups and Permission Sets is optional in Zilla.