IAM User Authentication Method

Customer Managed Policies must be created and attached to the AWS Service IAM User and Role respectively as mentioned in the table below.

Note
The AWS System Administrator can refine the Permission Policies as needed.

Note
If ‘Include AWS Account IDs’ list is specified and organization schema is not present in the application, then ‘iam:GetUser’ API permission is not required for AWS Service IAM User.

The description for the policy name and role that are used is as follows:

SPServiceIAMUser: an IAM account in the management (or designated Service IAM User) account that is used as the connector’s service account to your AWS environment.
SPOrganizationPolicy: allows management of Organization entities. This will only be created if the ServiceIAMUser is created in your organization’s management AWS account.
SPAggregationPolicy: allows mostly read access in order to aggregate IAM entities from your AWS environment.
SPProvisioningPolicy: allows write access for provisioning IAM entities back to your AWS environment.
SPServiceIAMUserAccess: a role that will have the above mentioned policies and will allow the ServiceIAMUser to perform all the necessary tasks needed for the connector to work.

See Non Multiple-group Object Source Policies or Multiple Group Object Source Policies for examples of these policies.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.


	You are here:

IAM User Authentication Method

Documentation Feedback