Skip to content

Assume Role Link to SailPoint Entro

This section explains how to connect the IAM Role you created in AWS to SailPoint Entro. By linking the role via its Role ARN, SailPoint Entro can securely assume the role to read metadata and detect exposed secrets, without storing or using long‑term credentials.


AWS Console → IAM → Roles → Create Role → Another AWS Account


  1. Retrieve the IAM Role ARN

    • In the AWS Console, go to IAM → Roles.

    • Locate the role you created earlier (EntroRoleAWS).

    • Copy its Role ARN (e.g. arn:aws:iam::123456789012:role/EntroRoleAWS).

  2. Open the SailPoint Entro Dashboard

    • Log into the SailPoint Entro Dashboard.

    • Navigate to Management → Accounts & Integrations → Add New Account.

    • Select AWS → Manual Onboarding → Assume Role.

  3. Enter Required Details

    In the SailPoint Entro onboarding wizard:

    Field Description
    AWS Role ARN Paste the Role ARN copied from AWS.
    Environment Choose the environment (e.g., Production, Development).
    Worker Group (Connector) Select the connector that will handle sync operations.

    Once the fields are filled out, click Create Account.

  4. Validation

    • SailPoint Entro attempts to assume the IAM Role using AWS STS.

    • On success, the integration status will display as Active.

    • Secrets, tokens, and NHIs from AWS begin populating automatically under Inventory → Secrets and Inventory → NHIs.

  5. Optional CloudTrail Verification

    To verify the assume-role activity in AWS CloudTrail:

    • Go to CloudTrail → Event History.

    • Search for Event name = AssumeRole.

    • Confirm the Principal corresponds to SailPoint Entro’s AWS Account ID.

Troubleshooting

SailPoint Entro cannot assume role

  • Cause: External ID mismatch or incorrect ARN

  • Resolution: Verify the role's trust relationship (allowing SailPoint Entro to assume the role) and confirm the Role ARN you pasted is correct.

Account not appearing in SailPoint Entro

  • Cause: Permission or network issue

  • Resolution: Ensure the EntroReadOnlyAccess policy is attached to the role and that outbound HTTPS is allowed from your network to permit the integration.

Secrets not syncing

  • Cause: Insufficient permissions

  • Resolution: Review the attached IAM Policy for missing actions required to list/read the resources SailPoint Entro needs.

Security Note

  • SailPoint Entro uses temporary AWS STS credentials to assume your IAM role.
  • No permanent credentials are stored.
  • All communications are encrypted using HTTPS/TLS.