AWS Organization - API Integration

Navigate to the same AWS Organizations instance in your library. Click the gear icon in the top right of the application details page to open the application configuration dialog. Click on the slider below API Integration to enable it.

Open

AWS SSO SCIM endpoint and AWS SSO SCIM Access Token are optional fields. These are required for bringing SSO User Status. Follow the steps given here AWS Organization - Enable SCIM configurations to enable the SCIM configurations in AWS SSO.

Set Discover Child Apps? to Yes if you want to automatically discover the member AWS accounts of this AWS Organization. It will automatically create the AWS application instance for each member account and will add the configuration RoleArn value as arn:aws:iam::<member-aws-account-Id>:role/Zilla-IAM-Reader-Role. It also requires the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity set in step 8 below. Default value of Discover Child Apps? is No.

Set Populate Ownership For Child Apps? to Yes if you want to automatically assign the ownership from parent app to the discovered child apps. It will automatically assign all the owners while creating the AWS application instance for each member account. Default value of Populate Ownership For Child Apps? is No.

Set Auto Sync Child Apps? to Yes if you want to automatically start the sync for the child AWS application instances. This setting requires Discover Child Apps? value to be Yes. It also requires the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity set in step 8 below. Default value of Auto Sync Child Apps? is No.

Set Sync SSO accounts in Child Apps? to Yes if you want to sync the AWS SSO accounts assigned to the respective child AWS application instances. It also requires the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity set in step 8 below and the AWS Region under which AWS SSO is setup set in step 9 below. Default value of Sync SSO accounts in Child Apps? is No.

Set IAM Role name in member accounts to the name of your IAM role in all the member accounts of your AWS Organization. The default value is Zilla-IAM-Reader-Role. If the Discover Child Apps? config is set to Yes, the “Amazon Web Services” Application Instance of the member account will have the ARN of the IAM Role for this account to which Zilla has been added as a trusted entity config set as per the value of this config.

Set the ARN of the SSO Master Account’s Role to which Zilla has been added as a trusted entity. For example: arn:aws:iam::<YOUR_AWS_SSO_MASTER_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role created by following the instructions in AWS Organization - Create an IAM Role for SSO Users, Groups and Permission Set.

Set AWS Region under which AWS SSO is setup. (Required for AWS SSO Sync) - For setting this, copy the region in which the AWS SSO has been created. For example: us-east-1 and paste the value in the config field.

Open

Set Retrieve AWS SSO User status without SCIM token ? to Yes if you want to fetch the user status without scim token. Default value of Retrieve AWS SSO User status without SCIM token ? is No.
Note:

• This requires the zilla-sso-reader-policy role to be updated to include the new policy sso-directory:SearchUsers.

Access Key ID of IAM User and Secret Access Key of IAM User are IAM User Credentials of an IAM User on your AWS Organization account. ONLY fill these credentials if you want to use your IAM User to assume the IAM Role you created for Zilla. This is, however, not the recommended approach.

Click Sync Now. Click Next on the subsequent dialog to begin the sync. Once the sync is completed successfully, your groups and groups members will be listed on the Accounts tab.

Open