Skip to content

Active Directory Integration with AWS

Active Directory can be integrated with AWS environments to allow users to use their existing login credentials, manage their user identities outside of AWS, and give these external user identities permissions to use AWS resources in their account.

When integrating Active Directory to AWS, the AWS S3 permissions needs to be mapped to the Active Directory users and groups by using an Identity Provider (IdP).

We support AWS SAML and OpenID Connect IdPs in case this is done in the following way:

  • Using Active Directory group naming configuration. This method is ideal in case the client's IDP supports it and if the client created these groups.

Example: Active Directory group name – ad-aws-int-test1#Okta_IDP_Role_2#832879285990 This is the Active Directory group name template: [some name]#[role name]#[account id]. The user configures (in Data Access Security) the regular expression (regex).

Example: S+#(?[\w-]+)#(?\d+)$.

We then know to use this expression to extract the IAM Role name and the AWS account ID from the Active Directory group name and do the mapping.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.