IAM Role Authentication Method

IAM Role based Authentication can be used when SailPoint is hosted on the AWS EC2 instance.
The EC2 instance must not have IAM User AWS credentials stored as credential chain.
The EC2 instance can be present in any of the AWS Accounts (that is, either the Management AWS Account or in Member AWS Account).

See Non Multiple-group Object Source Policies or Multiple Group Object Source Policies for examples of these policies.

Trust relationship

The role must be added in the Account from where the data would be aggregated

arn:aws:iam::AccountId1:role/<Cross Role created in AWS accounts>

Note
The External ID can also be provided while creating the Role.

Assume Role Permissions for EC2 Instances

For Role Authentication, the role associated with the EC2 instance must have the assume role permissions with the common role across the AWS accounts from where the data must be aggregated.

For example, the following is the JSON format for the policy permissions:

Copy

 {
  "Version": "2012-10-17",
  "Statement": [
     {
       "Effect": "Allow",
       "Principal": {
       "AWS": [
               "arn:aws:iam::AccountId1:role/<Cross Role created in AWS accounts>"
              ]
                },
                 "Action": "sts:AssumeRole",
                 "Condition": {
                 "StringEquals": {
                                 "sts:ExternalId": "External ID associated with role"
           }
        }
     }
   ]
}


	You are here: