AWS Organization - API Integration

Owned by Anand Manian (Unlicensed)
Last updated: Aug 28, 2024 by Christine Gross
4 min read

Note:

  1. You must have admin access to your AWS Identity Center Dashboard.

  2. This API Integration will bring in AWS SSO Users, Groups and Group Members.

  3. The API Integration currently brings the status value for AWS SSO users using the SCIM endpoint - GetUser - IAM Identity Center SCIM Implementation.

 

  1. Navigate to the same AWS Organizations instance in your library. Click the gear icon in the top right of the application details page to open the application configuration dialog. Click on the slider below API Integration to enable it.

     

  2. AWS SSO SCIM endpoint and AWS SSO SCIM Access Token are optional fields. These are required for bringing SSO User Status. Follow the steps given here AWS Organization - Enable SCIM configurations to enable the SCIM configurations in AWS SSO.

     

  3. Set Discover Child Apps? to Yes if you want to automatically discover the member AWS accounts of this AWS Organization. It will automatically create the AWS application instance for each member account and will add the configuration RoleArn value as arn:aws:iam::<member-aws-account-Id>:role/Zilla-IAM-Reader-Role. It also requires the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity set in step 6 below. Default value of Discover Child Apps? is No.

     

  4. Set Auto Sync Child Apps? to Yes if you want to automatically start the sync for the child AWS application instances. This setting requires Discover Child Apps? value to be Yes. It also requires the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity set in step 6 below. Default value of Auto Sync Child Apps? is No.

     

  5. Set Sync SSO accounts in Child Apps? to Yes if you want to sync the AWS SSO accounts assigned to the respective child AWS application instances. It also requires the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity set in step 6 below and the AWS Region under which AWS SSO is setup set in step 7 below. Default value of Sync SSO accounts in Child Apps? is No.

     

  6. Set the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity. For example: arn:aws:iam::<YOUR_AWS_SSO_MASTER_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role created by following the instructions in AWS Organization - Create an IAM Role for SSO Users, Groups and Permission Set.

     

     

  7. Copy the region in which the AWS SSO has been created. For example: us-east-1.

     

     

  8. Set Retrieve AWS SSO User status without SCIM token ? to Yes if you want to fetch the user status without scim token. Default value of Retrieve AWS SSO User status without SCIM token ? is No.
    Note:

    • This requires the zilla-sso-reader-policy role to be updated to include the new policy sso-directory:SearchUsers.

  9. Click Sync Now. You will see another dialog asking you to choose whether you want to sync via API Integration or Browser Extension. Choose API Integration and click Next. Click Next on the subsequent dialog to begin the sync. Once the sync is completed successfully, your groups and groups members will be listed on the Accounts tab.