Source Configuration Guide
There are currently two authentication choices when configuring the AWS connector in IdentityNow. IAM User and IAM Role. Refer to the respective section below for configuration information.
Note
It’s a good idea to establish a naming convention for the policies and roles that you create during this process. For example, "SPAggregationPolicy", "SPAssumeRolePolicy", and "SPCrossAccountRole".
Important
This guide assumes you are connecting to an AWS environment that uses AWS Organizations with multiple AWS accounts under it. This is the most common deployment method. If you are connecting to a single AWS account without access to an AWS organization (for testing, POCs, etc.), you must manually remove the AWS organization schema objects as those are included by default with the AWS connector. Instructions on how to remove the schema objects are included at the end of this guide.
This guide assumes you are connecting to an AWS environment that uses AWS Organizations with multiple AWS accounts under it. This is the most common deployment method. If you are connecting to a single AWS account without access to an AWS organization (for testing, POCs, etc.), you must manually remove the AWS organization schema objects as those are included by default with the AWS connector. Instructions on how to remove the schema objects are included at the end of this guide.
IAM User Authentication
IAM User needs be created in the management AWS account or member AWS account based on application configuration.
IAM User In the management AWS Account:
To manage the organization entities like SCPs, OUs and AWS Accounts, it is required to create the Service IAM User in the management AWS Account. Additionally, all the organization related permissions must be given through the cross-account role present in the management AWS account.
To manage all AWS accounts (the Manage All Accounts checkbox in configuration parameters), the service user must be in the management AWS account to get all the AWS Account IDs.
IAM Role Authentication
Important
Your IdentityNow Virtual Appliance must be hosted in AWS and it must have a role attached to it. The role also needs to have a policy attached to it that allows it to assume the cross-account role(s) you will create. The Virtual Appliance may reside in either the management AWS account or a member AWS account.
Overview
You will be creating two different role types and 4 different policies.
-
IAM Service Role - attached to the SailPoint Virtual Appliance in AWS
-
Attached Policy:
-
Assume Role Policy - this grants the VA permission to assume the cross-account roles.
-
-
-
IAM Cross-account role(s) - one for each AWS account you want to manage
-
Attached Policies:
These grant the permissions needed for IDN to perform its normal operations.
-
Aggregation Policy
-
Organization Policy
-
Provisioning Policy
-
-
Important
Our documentation outlines two sets of policies you can choose from depending on whether or not you need multi-group object support. If you only want to manage one entitlement in AWS, such as a group, then use the "Policies Required for Non Multiple-group Object Source". If you want to manage more than one entitlement type in AWS, such as groups, AWS Managed Policies, Customer Managed Policies, Inline Policies, Service Control Policies (SCPs), AWS Organization OUs, AWS Accounts, etc. then use the "Policies Required for Multiple-group Object Source". Multi-group object support is a more recent enhancement and provides more capability/visibility. In most cases, you should use the multi-group object policies.
Our documentation outlines two sets of policies you can choose from depending on whether or not you need multi-group object support. If you only want to manage one entitlement in AWS, such as a group, then use the "Policies Required for Non Multiple-group Object Source". If you want to manage more than one entitlement type in AWS, such as groups, AWS Managed Policies, Customer Managed Policies, Inline Policies, Service Control Policies (SCPs), AWS Organization OUs, AWS Accounts, etc. then use the "Policies Required for Multiple-group Object Source". Multi-group object support is a more recent enhancement and provides more capability/visibility. In most cases, you should use the multi-group object policies.
Note
Perform these steps in the order outlined below as they are dependent on one another.
Policies
Create 3 policies in each AWS account you want to manage:
-
Aggregation Policy
-
Organization Policy
-
Provisioning Policy
These will be attached to your cross-account roles.
-
Create a new policy.
-
Select the JSON tab
-
Paste in the JSON provided in the connector documentation. For most deployments, you will be using the multiple group object policies found in the guide Integrating SailPoint and Amazon Web Services.
Cross-account Roles
Create a cross-account role in each AWS account you want to manage and attach the 3 policies you created above. When creating this role, select the second option in the role creation wizard for Another AWS account. Enter the Account ID for the management account in your AWS Organization (even for the one you create in the management account). You MUST use the same name for every cross-account role.
Screenshot
Note
You must modify the Trust Relationship for the cross-account role at the management account level to include a trust for ALL other member AWS account IDs that you want to manage.
Example JSON:
Copy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<MasterAccountID>:root",
"arn:aws:iam::<MemberAccountID>:root",
"arn:aws:iam::<MemberAccountID>:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}Note
The cross-account roles you create on each member AWS account only need to trust the management account ID.
IAM Service Role
When creating the role for your VA, the role creation wizard will ask you to select a type of trusted entity. Choose the first option, AWS service, and then select EC2 under the common use cases list. This role will get attached to your Virtual Appliance EC2 instance.
The role also needs to have a policy attached to it that allows it to assume the cross-account role(s) you will create.
-
Create a new policy.
-
Select the JSON tab.
-
Paste in the following JSON:
Copy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<MasterAccountID>:role/<CrossAccountRoleName>",
"arn:aws:iam::<MemberAccountID1>:role/<CrossAccountRoleName>",
"arn:aws:iam::<MemberAccountID2>:role/<CrossAccountRoleName>"
]
}
]
}Note
The Resource section will contain references to all of the cross-account roles you create. You can copy the Role ARN from the top of the role summary screen.
Note
Example Role ARN: "arn:aws:iam::012345678901:role/SPCrossAccountRole"
The result should look similar to this:
Attach it to your EC2 instance for your Virtual Appliance:
How to Remove the Schema Objects for use with a single AWS Account
The default AWS connector assumes you will be connecting to an AWS Organization structure, therefore, it includes default group schema objects related to AWS Organization objects. If you attempt to connect to a single AWS account, you will likely encounter error messages during a test connection regarding AWS Organizations. Today, the workaround is to manually remove the group schema objects related to AWS Organization objects. This requires API work as there is currently no UI for group schema.
You must remove the following group schema objects using Postman:
-
OrganizationUnit
-
SCP
-
AWSAccount
To modify the schema, use Postman to do the following:
-
List all the sources in your IDN tenant to find the AWS source ID:
-
GET https://{tenant}.api.identitynow.com/v3/sources
-
-
List the AWS source schema using the ID you obtained from step 1:
-
GET https://{tenant}.api.identitynow.com/v3/sources/{sourceId}/schemas
-
Note the schemaId for each of the section you will remove (OrganizationUnit, SCP, AWSAccount)
-
-
Delete each of the schema sections for OrganizationUnit, SCP and AWSAccount using the appropriate schemaId for each:
-
DELETE https://{tenant}.api.identitynow.com/v3/sources/{sourceId}/schemas/{schemaId}
-
As a reference, here is the default schema. You will see a section for OrganizationUnit, SCP and AWSAccount near the very bottom of the schema:
Note
Each section has a unique schemaId. You will need those IDs to delete each section.
Copy
[
{
"nativeObjectType": "account",
"identityAttribute": "ARN",
"displayAttribute": "UserName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "UserName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "UserId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "Path to the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "User Creation date",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ConsoleAccess",
"type": "STRING",
"schema": null,
"description": "Password Status",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Groups",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260c",
"name": "group"
},
"description": "Groups the user is a part of",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "AWSManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260d",
"name": "AWSManagedPolicy"
},
"description": "AWS Managed Policies directly assigned to this user",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "CustomerManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260e",
"name": "CustomerManagedPolicy"
},
"description": "Customer Managed Policies directly assigned to this user",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "InlinePolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260f",
"name": "InlinePolicy"
},
"description": "Inline Policies directly assigned to this user",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "Access Keys",
"type": "STRING",
"schema": null,
"description": "Access keys associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWS CodeCommit HTTPS Credentials",
"type": "STRING",
"schema": null,
"description": "AWS CodeCommit HTTPS Git credentials associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWS CodeCommit SSH Keys",
"type": "STRING",
"schema": null,
"description": "AWS CodeCommit SSH public keys associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Signing Certificates",
"type": "STRING",
"schema": null,
"description": "Signing Certificates associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PasswordLastUsed",
"type": "STRING",
"schema": null,
"description": "Password last used date of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AccessKeyLastUsed",
"type": "STRING",
"schema": null,
"description": "Access key last used details of the user ",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260b",
"name": "account",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "group",
"identityAttribute": "ARN",
"displayAttribute": "GroupName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "GroupName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "GroupId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "Path to the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "Creation date of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSManagedPolicies",
"type": "STRING",
"schema": null,
"description": "AWS Managed Policies directly assigned to the group",
"isMulti": true,
"isEntitlement": true,
"isGroup": false
},
{
"name": "CustomerManagedPolicies",
"type": "STRING",
"schema": null,
"description": "Customer Managed Policies directly assigned to the group",
"isMulti": true,
"isEntitlement": true,
"isGroup": false
},
{
"name": "InlinePolicies",
"type": "STRING",
"schema": null,
"description": "Inline Policies directly assigned to the group",
"isMulti": true,
"isEntitlement": true,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260c",
"name": "group",
"created": "2021-08-12T19:11:37.577Z",
"modified": "2021-08-12T19:11:37.673Z"
},
{
"nativeObjectType": "AWSManagedPolicy",
"identityAttribute": "ARN",
"displayAttribute": "PolicyName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "PolicyName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "A friendly description of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "The path to the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "The creation date of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "UpdateDate",
"type": "STRING",
"schema": null,
"description": "The last update date of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "DefaultVersionId",
"type": "STRING",
"schema": null,
"description": "The currently enabled version ID of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260d",
"name": "AWSManagedPolicy",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "CustomerManagedPolicy",
"identityAttribute": "ARN",
"displayAttribute": "PolicyName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"PROVISIONING",
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "PolicyName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "A friendly description of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "The creation date of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "UpdateDate",
"type": "STRING",
"schema": null,
"description": "The last update date of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "The path to the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "DefaultVersionId",
"type": "STRING",
"schema": null,
"description": "The currently enabled version ID of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyGroups",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260c",
"name": "group"
},
"description": "Groups attached to the customer managed policy",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "PolicyRoles",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692610",
"name": "Role"
},
"description": "Roles attached to the customer managed policy",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
}
],
"id": "2c9180887b36bc33017b3bc6ec69260e",
"name": "CustomerManagedPolicy",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "InlinePolicy",
"identityAttribute": "Id",
"displayAttribute": "Name",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "Name",
"type": "STRING",
"schema": null,
"description": "The friendly name of the policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Id",
"type": "STRING",
"schema": null,
"description": "The unique ID of the policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260f",
"name": "InlinePolicy",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "Role",
"identityAttribute": "ARN",
"displayAttribute": "RoleName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"PROVISIONING",
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "RoleName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "RoleId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "Path to the Role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "Role Description",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "Creation date of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260d",
"name": "AWSManagedPolicy"
},
"description": "AWS Managed Policies directly assigned to the role",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "CustomerManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260e",
"name": "CustomerManagedPolicy"
},
"description": "Customer Managed Policies directly assigned to the role",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "InlinePolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260f",
"name": "InlinePolicy"
},
"description": "Inline Policies directly assigned to the role",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "TrustPolicyJSON",
"type": "STRING",
"schema": null,
"description": "Trust Relationship Policy JSON",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "MaxSessionDuration",
"type": "STRING",
"schema": null,
"description": "Maximum CLI/API session duration",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec692610",
"name": "Role",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "SCP",
"identityAttribute": "ARN",
"displayAttribute": "SCPName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "SCPName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "SCPId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "A friendly description of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSManaged",
"type": "STRING",
"schema": null,
"description": "A boolean value that indicates whether the Service Control Policy is an AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec692611",
"name": "SCP",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "AWSAccount",
"identityAttribute": "ARN",
"displayAttribute": "AWSAccountName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "AWSAccountName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSAccountId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Email",
"type": "STRING",
"schema": null,
"description": "The email address associated with the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Status",
"type": "STRING",
"schema": null,
"description": "The status of the AWS account in the organization.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "JoinedMethod",
"type": "STRING",
"schema": null,
"description": "The method by which the AWS account joined the organization.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "JoinedTimestamp",
"type": "STRING",
"schema": null,
"description": "The date the AWS account became a part of the organization.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "OrganizationUnit",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692613",
"name": "OrganizationUnit"
},
"description": "Organization unit holding the AWS Account",
"isMulti": false,
"isEntitlement": false,
"isGroup": true
}
],
"id": "2c9180887b36bc33017b3bc6ec692612",
"name": "AWSAccount",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "OrganizationUnit",
"identityAttribute": "ARN",
"displayAttribute": "OUName",
"hierarchyAttribute": "Parent",
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "OUName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "OUId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ServiceControlPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692611",
"name": "SCP"
},
"description": "Service Control Policies attached to the Organization Unit",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "Parent",
"type": "STRING",
"schema": null,
"description": "Parent Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": true
},
{
"name": "AWSAccounts",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692612",
"name": "AWSAccount"
},
"description": "AWS Accounts attached to the Organization Unit",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
}
],
"id": "2c9180887b36bc33017b3bc6ec692613",
"name": "OrganizationUnit",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
}
]Here is the section that must be removed:
Copy
{
"nativeObjectType": "SCP",
"identityAttribute": "ARN",
"displayAttribute": "SCPName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "SCPName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "SCPId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "A friendly description of the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSManaged",
"type": "STRING",
"schema": null,
"description": "A boolean value that indicates whether the Service Control Policy is an AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the Service Control Policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec692611",
"name": "SCP",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "AWSAccount",
"identityAttribute": "ARN",
"displayAttribute": "AWSAccountName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "AWSAccountName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSAccountId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Email",
"type": "STRING",
"schema": null,
"description": "The email address associated with the AWS account.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Status",
"type": "STRING",
"schema": null,
"description": "The status of the AWS account in the organization.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "JoinedMethod",
"type": "STRING",
"schema": null,
"description": "The method by which the AWS account joined the organization.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "JoinedTimestamp",
"type": "STRING",
"schema": null,
"description": "The date the AWS account became a part of the organization.",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "OrganizationUnit",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692613",
"name": "OrganizationUnit"
},
"description": "Organization unit holding the AWS Account",
"isMulti": false,
"isEntitlement": false,
"isGroup": true
}
],
"id": "2c9180887b36bc33017b3bc6ec692612",
"name": "AWSAccount",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "OrganizationUnit",
"identityAttribute": "ARN",
"displayAttribute": "OUName",
"hierarchyAttribute": "Parent",
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "OUName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "OUId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ServiceControlPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692611",
"name": "SCP"
},
"description": "Service Control Policies attached to the Organization Unit",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "Parent",
"type": "STRING",
"schema": null,
"description": "Parent Organization Unit",
"isMulti": false,
"isEntitlement": false,
"isGroup": true
},
{
"name": "AWSAccounts",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692612",
"name": "AWSAccount"
},
"description": "AWS Accounts attached to the Organization Unit",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
}
],
"id": "2c9180887b36bc33017b3bc6ec692613",
"name": "OrganizationUnit",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
}Here is what it should look like after you modify it:
Copy
[
{
"nativeObjectType": "account",
"identityAttribute": "ARN",
"displayAttribute": "UserName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [],
"configuration": {},
"attributes": [
{
"name": "UserName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "UserId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "Path to the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "User Creation date",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ConsoleAccess",
"type": "STRING",
"schema": null,
"description": "Password Status",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Groups",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260c",
"name": "group"
},
"description": "Groups the user is a part of",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "AWSManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260d",
"name": "AWSManagedPolicy"
},
"description": "AWS Managed Policies directly assigned to this user",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "CustomerManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260e",
"name": "CustomerManagedPolicy"
},
"description": "Customer Managed Policies directly assigned to this user",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "InlinePolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260f",
"name": "InlinePolicy"
},
"description": "Inline Policies directly assigned to this user",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "Access Keys",
"type": "STRING",
"schema": null,
"description": "Access keys associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWS CodeCommit HTTPS Credentials",
"type": "STRING",
"schema": null,
"description": "AWS CodeCommit HTTPS Git credentials associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWS CodeCommit SSH Keys",
"type": "STRING",
"schema": null,
"description": "AWS CodeCommit SSH public keys associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Signing Certificates",
"type": "STRING",
"schema": null,
"description": "Signing Certificates associated with the user",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PasswordLastUsed",
"type": "STRING",
"schema": null,
"description": "Password last used date of the user",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AccessKeyLastUsed",
"type": "STRING",
"schema": null,
"description": "Access key last used details of the user ",
"isMulti": true,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260b",
"name": "account",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "group",
"identityAttribute": "ARN",
"displayAttribute": "GroupName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "GroupName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "GroupId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "Path to the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "Creation date of the group",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSManagedPolicies",
"type": "STRING",
"schema": null,
"description": "AWS Managed Policies directly assigned to the group",
"isMulti": true,
"isEntitlement": true,
"isGroup": false
},
{
"name": "CustomerManagedPolicies",
"type": "STRING",
"schema": null,
"description": "Customer Managed Policies directly assigned to the group",
"isMulti": true,
"isEntitlement": true,
"isGroup": false
},
{
"name": "InlinePolicies",
"type": "STRING",
"schema": null,
"description": "Inline Policies directly assigned to the group",
"isMulti": true,
"isEntitlement": true,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260c",
"name": "group",
"created": "2021-08-12T19:11:37.577Z",
"modified": "2021-08-12T19:11:37.673Z"
},
{
"nativeObjectType": "AWSManagedPolicy",
"identityAttribute": "ARN",
"displayAttribute": "PolicyName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "PolicyName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "A friendly description of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "The path to the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "The creation date of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "UpdateDate",
"type": "STRING",
"schema": null,
"description": "The last update date of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "DefaultVersionId",
"type": "STRING",
"schema": null,
"description": "The currently enabled version ID of the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the AWS managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260d",
"name": "AWSManagedPolicy",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "CustomerManagedPolicy",
"identityAttribute": "ARN",
"displayAttribute": "PolicyName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"PROVISIONING",
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "PolicyName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "A friendly description of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "The creation date of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "UpdateDate",
"type": "STRING",
"schema": null,
"description": "The last update date of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "The path to the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "DefaultVersionId",
"type": "STRING",
"schema": null,
"description": "The currently enabled version ID of the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the customer managed policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyGroups",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260c",
"name": "group"
},
"description": "Groups attached to the customer managed policy",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "PolicyRoles",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec692610",
"name": "Role"
},
"description": "Roles attached to the customer managed policy",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
}
],
"id": "2c9180887b36bc33017b3bc6ec69260e",
"name": "CustomerManagedPolicy",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "InlinePolicy",
"identityAttribute": "Id",
"displayAttribute": "Name",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "Name",
"type": "STRING",
"schema": null,
"description": "The friendly name of the policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Id",
"type": "STRING",
"schema": null,
"description": "The unique ID of the policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "PolicyJSON",
"type": "STRING",
"schema": null,
"description": "The JSON document for the policy",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec69260f",
"name": "InlinePolicy",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
},
{
"nativeObjectType": "Role",
"identityAttribute": "ARN",
"displayAttribute": "RoleName",
"hierarchyAttribute": null,
"includePermissions": false,
"features": [
"PROVISIONING",
"NO_GROUP_PERMISSIONS_PROVISIONING"
],
"configuration": {},
"attributes": [
{
"name": "RoleName",
"type": "STRING",
"schema": null,
"description": "The friendly name of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "RoleId",
"type": "STRING",
"schema": null,
"description": "The unique ID of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Path",
"type": "STRING",
"schema": null,
"description": "Path to the Role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "ARN",
"type": "STRING",
"schema": null,
"description": "Amazon Resource Name of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "Description",
"type": "STRING",
"schema": null,
"description": "Role Description",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "CreateDate",
"type": "STRING",
"schema": null,
"description": "Creation date of the role",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "AWSManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260d",
"name": "AWSManagedPolicy"
},
"description": "AWS Managed Policies directly assigned to the role",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "CustomerManagedPolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260e",
"name": "CustomerManagedPolicy"
},
"description": "Customer Managed Policies directly assigned to the role",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "InlinePolicies",
"type": "STRING",
"schema": {
"type": "CONNECTOR_SCHEMA",
"id": "2c9180887b36bc33017b3bc6ec69260f",
"name": "InlinePolicy"
},
"description": "Inline Policies directly assigned to the role",
"isMulti": true,
"isEntitlement": true,
"isGroup": true
},
{
"name": "TrustPolicyJSON",
"type": "STRING",
"schema": null,
"description": "Trust Relationship Policy JSON",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
},
{
"name": "MaxSessionDuration",
"type": "STRING",
"schema": null,
"description": "Maximum CLI/API session duration",
"isMulti": false,
"isEntitlement": false,
"isGroup": false
}
],
"id": "2c9180887b36bc33017b3bc6ec692610",
"name": "Role",
"created": "2021-08-12T19:11:37.577Z",
"modified": null
}
]