AWS Organization - Create an IAM Role for SSO Users, Groups and Permission Set

Owned by Sagar Salokhe (Unlicensed)
Last updated: Oct 06, 2023 by Mike (Bin) Li
4 min read

Note: Below are the steps to create Zilla-SSO-Reader-Role manually using AWS IAM console. Another option is to use AWS CloudFormation to create this role. To use AWS CloudFormation follow the steps - AWS CloudFormation For Creating Zilla-SSO-Reader-Role

Create an IAM Policy for SSO Users, Groups and Permission Set

Steps to create an IAM Policy Zilla-SSO-Reader-Policy

  1. Login to the Management Account of your AWS Organization AWS Management Console

  2. Navigate to the IAM dashboard.

  3. Click on Policies on the left hand side menu of the IAM dashboard.

     

  4. Click Create policy and click on the JSON tab.

     

  5. IAM Policy Creation: Enter the following json snippet and click Next: Tags. The following policy allows Zilla to read the SSO Users, Groups and Permission Sets information from your AWS account.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "identitystore:Describe*", "identitystore:List*" ], "Resource": "*" } ] }

     

     

  6. Optionally add tags and click Next: Review.

     

  7. Review Policy: On the review page, enter the Name (Zilla-SSO-Reader-Policy) and optionally a description for the policy. Review the permissions assigned to the policy and then click Create policy. The policy will look like this:

     

  8. You will see a success message like this: 

     

  9. To confirm that the policy is present, you can search for it in the policy search bar. You will see your newly added policy in the list.

     

  10. Click the policy Zilla-SSO-Reader-Policy to double check the assigned permissions. The policy will look like this:

    Click on the {} JSON tab to double check the policy json.

Now that you have created the policy, the next step is to create a cross account Role.

 

Create an IAM Role for SSO Users, Groups and Permission Set

Steps to create an IAM Role Zilla-SSO-Reader-Role

  1. Click Roles from the left hand side menu to begin.

     

  2. Click Create role button to create a new IAM Role. Under Select trusted entity select AWS account and enter the 12 digit region sepcific Zilla’s Account ID (listed below). Select the Options checkbox for ‘Require external ID’ and enter External ID as your tenant’s domain name (For example: If your tenant’s domain name is example.com enter the External ID as example.com). , then click Next.

    • US region Account ID: 087210011007

    • EU region Account ID: 319105906071

    • Australia/New Zealand region Account ID: 868976368166

       

       

  3. On the Add Permissions page, search for AWSSSOReadOnly policy, and select the checkbox.

     

  4. Also search for the policy created above, Zilla-SSO-Reader-Policy, and select the checkbox. Then click Next.

      

  5. On the Step 3 page, add the name of the role Zilla-SSO-Reader-Role and optionally add a description. Ensure the Trusted entities account id matches region specific Zilla’s account Id and that the Policies section contains Zilla-SSO-Reader-Policy, then click Create role.

     

     

     

  6. Once the role is created, you can search for it on the roles tab and click on the role to check its details.

     

  7. On the role details page, double check the policy under Trust relationships tab that Trusted entities has region specific Zilla’s Account ID and your domain name as ExternalId condition.

     

Notes:

  1. Copy the Role ARN. For example: arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/Zilla-SSO-Reader-Role and keep it handy for later.

  2. Typically organizations will have one MASTER AWS ACCOUNT under which they will setup multiple Users, Groups, Permission Sets and AWS Accounts. So it’s likely you will need to create the SSO Role and Policy creation only once against your MASTER AWS ACCOUNT.

  3. Currently, the IAM Role and Policy creation to bring in SSO Users, Groups and Permission Sets is optional in Zilla.