AWS Manual Onboarding
If your organization restricts CloudFormation deployments, you can connect SailPoint Entro to AWS manually using an IAM Role Assume configuration. This process involves creating a custom IAM Policy and Role, establishing a trust relationship with SailPoint Entro’s AWS Account, and linking the Role ARN in the SailPoint Entro Dashboard.
Navigation Path
Management → Accounts & Integrations → Add New Account (top right) → AWS
Overview
Manual onboarding gives you complete control over permissions and policies while still providing SailPoint Entro with read-only access. The process consists of three primary steps:
-
Create IAM Policy – Define least-privilege read-only access for secrets and NHIs.
-
Create IAM Role – Establish a trusted relationship with SailPoint Entro’s AWS Account.
-
Connect Role to SailPoint Entro – Paste the Role ARN into SailPoint Entro’s setup wizard.
Architecture Diagram
Entro Security Cloud
↕ (Assume Role)
AWS Account
├── IAM Policy (EntroReadOnlyAccess)
├── IAM Role (EntroAWSIntegrationRole)
└── Secrets Manager / SSM / KMS
Prerequisites
-
IAM administrative privileges in the AWS account.
-
SailPoint Entro AWS Account ID and External ID (displayed in the SailPoint Entro setup wizard).
-
Outbound connectivity to
api.entro.security. -
Optional: Access to CloudTrail S3 bucket if audit log correlation is desired.
Complete the following:
-
Create IAM Policy
To grant SailPoint Entro limited, read-only visibility into your AWS environment, create a policy named EntroReadOnlyAccess.
Follow detailed instructions in: IAM Policy Creation Steps →
-
Create IAM Role
Create a role named EntroAWSIntegrationRole that allows SailPoint Entro’s AWS Account to assume it using the external ID provided in the wizard.
Full instructions: IAM Role Creation Steps →
-
Link the Role to SailPoint Entro
After creating the Role, copy its Role ARN from AWS IAM and paste it into SailPoint Entro’s Assume Role setup.
Detailed guide: Assume Role Link to SailPoint Entro →
(Optional) Connect CloudTrail Logs
If you want SailPoint Entro to correlate secret events with AWS CloudTrail, follow: AWS CloudTrail S3 Setup →
Validation Checklist
| Check | Description |
|---|---|
| IAM Policy created | EntroReadOnlyAccess exists in IAM |
| IAM Role created | EntroAWSIntegrationRole visible under IAM Roles |
| Role trust policy configured | SailPoint Entro AWS Account ID and external ID correctly applied |
| Role linked in SailPoint Entro | Account shows as Active in AWS Integrations |
| Optional CloudTrail connected | Verified under Integration Summary |
Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| Role not assumable | Trust policy missing SailPoint Entro principal | Update trust policy JSON |
| Secrets not detected | Missing Secrets Manager permission | Reattach read-only policy |
| Account not appearing in SailPoint Entro | Incorrect Role ARN | Re-enter ARN from AWS IAM console |