Required Permissions
IAM User Authentication Method
Customer-managed policies must be created and attached to the AWS service IAM users and roles, respectively, as outlined below.
Note
The AWS System Administrator can refine the Permission Policies as needed.
Below permissions are applicable for the following use cases:
-
Permissions are directly assigned to the user
-
Permissions are directly assigned to Role without an external ID and Role is assigned to user
-
Permissions are directly assigned to Role with an external ID and Role is assigned to user
Copy{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"identitystore:IsMemberInGroups",
"identitystore:ListGroupMemberships",
"identitystore:DescribeUser",
"identitystore:GetGroupMembershipId",
"identitystore:GetGroupId",
"identitystore:DeleteUser",
"identitystore:DescribeGroupMembership",
"identitystore:CreateUser",
"identitystore:ListGroups",
"identitystore:ListUsers",
"identitystore:UpdateUser",
"identitystore:ListGroupMembershipsForMember",
"organizations:Describe*",
"identitystore:DeleteGroupMembership",
"identitystore:CreateGroupMembership",
"identitystore:DescribeGroup",
"organizations:List*",
"identitystore:GetUserId",
"sso:CreateAccountAssignment",
"sso:DeleteAccountAssignment",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetPermissionsBoundaryForPermissionSet",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSets",
"sso:ListAccountAssignmentsForPrincipal"
],
"Resource": "*"
}
]
}
IAM Role Authentication Method
-
IAM Role based authentication can be used when SailPoint IdentityIQ is hosted on the AWS EC2 instance.
-
The EC2 instance must not have IAM User AWS credentials stored as credential chain.
-
The EC2 instance can be present in any of the AWS Accounts (i.e., either the Management AWS Account or in Member AWS Account).
Trust Relationship
The role must be added to the account from which the data will be aggregated.
arn:aws:iam::AccountId1:role/<Cross Role created in AWS accounts>
Note
AccountId1 (This should be management account Id)
Below permissions are applicable for the following use cases:
-
Role with required permissions and without external ID (In cases without an external ID, remove the Condition from the assume role policy)
-
Role with required permissions and with external ID
Note
The External ID can also be provided while creating the Role.Copy{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"identitystore:IsMemberInGroups",
"identitystore:ListGroupMemberships",
"identitystore:DescribeUser",
"identitystore:GetGroupMembershipId",
"identitystore:GetGroupId",
"identitystore:DeleteUser",
"identitystore:DescribeGroupMembership",
"identitystore:CreateUser",
"identitystore:ListGroups",
"identitystore:ListUsers",
"identitystore:UpdateUser",
"identitystore:ListGroupMembershipsForMember",
"organizations:Describe*",
"identitystore:DeleteGroupMembership",
"identitystore:CreateGroupMembership",
"identitystore:DescribeGroup",
"organizations:List*",
"identitystore:GetUserId",
"sso:CreateAccountAssignment",
"sso:DeleteAccountAssignment",
"sso:ProvisionPermissionSet",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetPermissionsBoundaryForPermissionSet",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSets",
"sso:ListAccountAssignmentsForPrincipal"
],
"Resource": "*"
}
]
}