Skip to content

Working with Sources

Once you have configured a CSP or an IDP, you can register and manage those sources in Cloud Access Management. Use the snapshot feature to see the status of all of your CSP and IDP sources.

You can access information about your sources by selecting the Sources dashboard tile or by selecting Sources in the left sidebar.

Registering Cloud Service Provider Sources

After you've followed the instructions to configure cloud service providers with your supported cloud sources, you'll use the information that you saved during that process to access and govern those cloud sources. When registering new cloud service provider sources, Cloud Access Management validates that a connection can be established using the provided configuration information.

By default, all available cloud source scopes such as AWS member account, Azure subscriptions, and Google projects are included in the registration. If you want to only include a subset of sources, subscriptions, or projects, you can set that during the registration process or by editing the source later. See Setting Source Scope.

To register new CSP sources:

  1. Expand Sources in the left sidebar and select Cloud Sources.
  2. Select the tab of the CSP source you want to register.
  3. Select the blue button + Register to register a new source.

Registering Amazon Web Services

You can register all of your AWS source member accounts to be governed by Cloud Access Management. You can choose to register AWS Organizations or individual AWS cloud sources in environments that are not using AWS Organizations.

You will use the information generated when you configured Amazon Web Services Cloud to register AWS with Cloud Access Management.

Field Description
Unique name Unique user-generated name to identify this cloud instance
Role ARN Role ARN generated when creating a new IAM role
ExternalID External ID generated when creating a new IAM role
CloudTrail ARN (optional) CloudTrail ARN for an organization or individual member account

AWS Organization CloudTrail ARN

You can use the AWS Console or the CLI at the root level to get the CloudTrail ARN for an AWS Organization.

Using the AWS Console:

  1. Go to the CloudTrail page.
  2. Select Trails in the left sidebar and it will show a table with the organization trail.

Using the command line:

  1. At the root level, run aws cloudtrail describe-trails
  2. In the output, look for the section that has "IsOrganizationTrail": true"
  3. In that section, you will see "TrailARN". That is your CloudTrail ARN for the AWS Organization.

AWS Individual CloudTrail ARN

To get the CloudTrail ARN for an individual member account, run: aws cloudtrail describe-trails --trail-name-list TrailName. Replace TrailName with the name of the trail you created when setting up AWS.

Registering Azure Cloud

You will use the information generated when you configured Azure Cloud to register Azure Cloud with Cloud Access Management.

Field Description
Unique Name Unique user-provided name to identify this cloud instance
Application ID Application ID generated when registering Cloud Access Management with Azure Cloud
Application Secret Client secret created during configuration
Azure Tenant ID Tenant ID shown when registering Cloud Access Management with Azure Cloud

Registering Google Cloud Platform

You will use the information generated when you configured Google Cloud Platform to register GCP with Cloud Access Management.

Field Description
Name Source Unique user-provided name to identify this cloud instance
Email with Admin Privileges Email of the administrator for this source, created when you registered your GCP organization with SailPoint
Credentials provided by uploading a file or pasting a .json Key generated when creating a service account

Setting Source Scope

You can specify a subset of your cloud source hierarchy that you want included in Cloud Access Management. When registering or editing your cloud sources, select the Test Connection button to validate the basic access to the registered cloud source. Once it is verified, you can choose to enable source scoping and then select the member accounts, projects, or subscriptions that you want to include in Cloud Access Management.

You can adjust the scope list at any time by selecting the menu icon on the right and selecting Edit.

Managing Cloud Service Provider Sources

After your CSP sources have been registered, you can view and make edits to them on the sources page. Expand Sources in the left sidebar and select Cloud Sources, then choose the tab of the CSP you want to view or edit. This will show you all of the sources you have registered with Cloud Access Management.

All cloud sources are shown in an organizational hierarchy, making it easy to navigate parent and child relationships. Select the blue Open button to expand parent folders to see the subfolders, projects, member accounts, management groups, or subscriptions for that source.

The source status is shown on the right, alerting you to any state changes. Hover over it to see more information. Select the on the right to edit or delete the source.

Warning

If you delete a source, Cloud Access Management will no longer be able to connect to that source and all governance activities will cease immediately. You'll have to re-register the source to begin governing the resources and activity on that cloud.

Registering Identity Provider Sources

After you've followed the instructions to configure identity providers with your supported identity provider sources, you'll use the information that you saved during that process to access and govern those sources.

When registering new IDP sources, Cloud Access Management validates that a connection can be established with the provided configuration information.

To register new IDP sources:

  1. Expand Sources in the left sidebar and select IDP Sources.
  2. Select the tab of the IDP source you want to register.
  3. Select the blue button + Register to register a new source.

Registering Azure Active Directory

Once Azure AD is configured, you can register it as an identity provider in Cloud Access Management.

On the IDP Sources page, select Azure Active Directory at the top to register your source using the following fields:

Field Description
Active Directory Name Unique user-provided name to identity this IDP instance
Directory ID TenantID in Azure Cloud
Application ID Application ID of the Cloud Access Management application
Application Secret                                                                                                 Secret associated with Cloud Access Management. You can find this in the Azure Portal by selecting the SailPoint application in App registration and viewing Certificates & secrets.
SAAS Application Cloud Type Select Amazon Web Services from the dropdown menu.
SAAS Application ID Application ID of the AWS application registered with Azure.

Registering Okta

Once Okta is configured, you can register it as an identity provider in Cloud Access Management.

On the IDP Sources page, select the icon for Okta to register your IDP source using the following fields:

Field Description
Source Name Unique user-provided name to identify this IDP instance
Organization URL URL where your organization's Okta is hosted
Application Token API token generated by following these directions.
Application ID Okta Application ID found by following these directions.
SAAS Application Type Select Amazon Web Services from the dropdown menu.

Managing Identity Provider Sources

After your IDP sources have been registered, you can view and make edits to them on the sources page. Expand Sources in the left sidebar and select IDP Sources, then choose the tab of the IDP you want to view or edit. This will show you all of the sources you have registered with Cloud Access Management.

The source status is shown on the right, alerting you to any state changes. Select the menu icon on the right to edit or delete the source.

Warning

If you delete a source, Cloud Access Management will no longer be able to connect to that source and all governance activities will cease immediately. You'll have to re-register the source to begin governing the resources and activity on that source again.

Using Snapshots

You can see the status of all of your CSP and IDP sources at once by going to the Snapshots page under Sources. A snapshot is a collection of all the resources, identities, and objects that your CSPs and IDPs have at a certain point in time. Snapshots show the progress and errors for all sources, making it easy to track issues across your providers.

  • Last Run shows when the last snapshot was started.
  • Elapsed Time shows how long it took for the snapshot to complete.
  • Run By shows if the snapshot was triggered manually or as part of the scheduled nightly snapshot.

Select Run All to trigger a manual snapshot.