Set Up Service User or Service Role

You must attach this policy document using the Inline policy to the service user or service role.

Copy

{
    "Version": "2012-10-17",

    "Statement": [{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::<<AWS account ID>>:role/<<cross account role name>>"
        }
    ]
}

Where << cross account role name >> is a cross account role that has the customer managed / inline policies mentioned above and it enables the service account / role to perform all the necessary tasks needed for the source.

Note
This policy must be created under each AWS account that you want to manage. The <<AWS account ID>> above is the ID of the Master Account ID.

GetUserInlinePolicy Document

iam:GetUser API permission is required when the authentication method is IAM User and you want to manage organization group objects.

Copy

{
    "Version": "2012-10-17",

    "Statement": [{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::<Service User's AWS Account Id>:user/<<Service User name>>"
        }
    ]
}

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

Set Up Service User or Service Role

GetUserInlinePolicy Document

Documentation Feedback