Skip to content

Working with Accounts

Once you have configured a CSP or an IDP, you can register and view those accounts in Cloud Access Management.

You can access information about your accounts by selecting the Accounts dashboard tile or by selecting Accounts in the left sidebar.

Registering Cloud Service Provider Accounts

After you've followed the instructions to configure cloud service providers with your supported cloud accounts, you'll use the information that you saved during that process to access and govern those cloud accounts. When registering new cloud service provider accounts, Cloud Access Management validates that a connection can be established using the provided configuration information.

By default, all available cloud accounts such as AWS member accounts, Azure subscriptions, and Google projects are included in the registration. If you want to only include a subset of accounts, subscriptions, or projects, you can set that during the registration process or by editing the account later. See Setting Account Scope.

To register new CSP accounts:

  1. Expand Accounts in the left sidebar and select Cloud Accounts.
  2. Select the tab of the CSP account you want to register.
  3. Select the blue button + Register to register a new account.

Registering Amazon Web Services

You can register all of your AWS accounts to be governed by Cloud Access Management. You can choose to register AWS organizations or individual AWS cloud accounts in environments that are not using AWS Organizations.

You will use the information generated when you configured Amazon Web Services Cloud to register AWS with Cloud Access Management.

Field Description
Unique name Unique user-generated name to identify this cloud instance
Role ARN Role ARN generated when creating a new IAM role
ExternalID External ID generated when creating a new IAM role
CloudTrail ARN (optional) CloudTrail ARN for an organization or individual member account

AWS Organization CloudTrail ARN

You can use the AWS Console or the CLI at the root level to get the CloudTrail ARN for an AWS organization.

Using the AWS Console:

  1. Go to the CloudTrail page.
  2. Select Trails in the left sidebar and it will show a table with the organization trail.

Using the command line:

  1. At the root level, run aws cloudtrail describe-trails
  2. In the output, look for the section that has "IsOrganizationTrail": true"
  3. In that section, you will see "TrailARN". That is your CloudTrail ARN for the AWS organization.

AWS Individual CloudTrail ARN

To get the CloudTrail ARN for an individual member account, run: aws cloudtrail describe-trails --trail-name-list TrailName. Replace TrailName with the name of the trail you created when setting up AWS.

Registering Azure Cloud

You will use the information generated when you configured Azure Cloud to register Azure Cloud with Cloud Access Management.

Field Description
Unique Name Unique user-provided name to identify this cloud instance
Application ID Application ID generated when registering Cloud Access Management with Azure Cloud
Application Secret Client secret created during configuration
Azure Tenant ID Tenant ID shown when registering Cloud Access Management with Azure Cloud

Registering Google Cloud Platform

You will use the information generated when you configured Google Cloud Platform to register GCP with Cloud Access Management.

Field Description
Name Account Unique user-provided name to identify this cloud instance
Email with Admin Privileges Email of the administrator for this account, created when you registered your GCP organization with SailPoint
Credentials provided by uploading a file or pasting a .json Key generated when creating a service account

Setting Account Scope

You can specify the accounts you want included in Cloud Access Management. When registering or editing your cloud accounts, select the Test Connection button to validate the account. Once it is verified, you can choose to enable account scoping and then select the accounts, projects, or subscriptions that you want to include in Cloud Access Management.

You can adjust the scope list at any time by selecting the menu icon in the right and selecting Edit.

Managing Cloud Service Provider Accounts

After your CSP accounts have been registered, you can view and make edits to them on the accounts page. Expand Accounts in the left sidebar and select Cloud Accounts, then choose the tab of the CSP you want to view or edit. This will show you all of the accounts you have registered with Cloud Access Management.

All cloud accounts are shown in an organizational hierarchy, making it easy to navigate parent and child relationships. Select the blue Open button to expand parent folders to see the subfolders, projects, accounts, management groups, or subscriptions for that account.

The account status is shown on the right, alerting you to any state changes. Select the menu icon on the right side to edit or delete the account.

Warning

If you delete an account, Cloud Access Management will no longer be able to connect to that account and all governance activities will cease immediately. You'll have to re-register the account to begin governing the resources and activity on that cloud.

Registering Identity Provider Accounts

After you've followed the instructions to configure identity providers with your supported identity provider accounts, you'll use the information that you saved during that process to access and govern those accounts.

When registering new IDP accounts, Cloud Access Management validates that a connection can be established with the provided configuration information.

To register new IDP accounts:

  1. Expand Accounts in the left sidebar and select IDP Accounts.
  2. Select the tab of the IDP account you want to register.
  3. Select the blue button + Register to register a new account.

Registering Azure Active Directory

Once Azure AD is configured, you can register it as an identity provider in Cloud Access Management.

On the IDP Accounts page, select the icon for Azure AD to register your account using the following fields:

Field Description
Active Directory Name Unique user-provided name to identity this IDP instance
Directory ID TenantID in Azure Cloud
Application ID Application ID of the Cloud Access Management application
Application Secret                                                                                                 Secret associated with Cloud Access Management. You can find this in the Azure Portal by selecting the SailPoint application in App registration and viewing Certificates & secrets.
SAAS Application Cloud Type Select Amazon Web Services from the drop-down menu.
SAAS Application ID Application ID of the AWS application registered with Azure.

Registering Okta

Once Okta is configured, you can register it as an identity provider in Cloud Access Management.

On the IDP Accounts page, select the icon for Okta to register your account using the following fields:

Field Description
Account Name Unique user-provided name to identify this IDP instance
Organization URL URL where your organization's Okta is hosted
Application Token API token generated by following these directions.
Application ID Okta Application ID found by following these directions.
SAAS Application Type Select Amazon Web Services from the drop-down menu.

Managing Identity Provider Accounts

After your IDP accounts have been registered, you can view and make edits to them on the accounts page. Expand Accounts in the left sidebar and select IDP Accounts, then choose the tab of the IDP you want to view or edit. This will show you all of the accounts you have registered with Cloud Access Management.

The account status is shown on the right, alerting you to any state changes. Select the menu icon on the right side to edit or delete the account.

Warning

If you delete an account, Cloud Access Management will no longer be able to connect to that account and all governance activities will cease immediately. You'll have to re-register the account to begin governing the resources and activity on that account again.