IAM Role Creation Steps
After creating the EntroReadOnlyAccess policy, the next step is to create an IAM Role that SailPoint Entro can securely assume. This role establishes a trust relationship with SailPoint Entro’s AWS Account and applies the read-only permissions from the previously created policy.
Navigation Path
AWS Console → IAM → Roles → Create Role → Another AWS Account
-
Create a New IAM Role
-
Sign in to the AWS Management Console.
-
Navigate to IAM → Roles → Create Role.
-
Under Trusted Entity Type, select Another AWS Account.
-
In the Account ID field, enter the SailPoint Entro AWS Account ID displayed in the SailPoint Entro setup wizard.
-
Check Require external ID and paste the External ID provided by SailPoint Entro.
-
Click Next.
-
Attach the SailPoint Entro Policy
-
From the list of policies, search for
EntroReadOnlyAccess. -
Select the checkbox next to it.
-
Click Next: Tags (optional).
-
Choose Next: Review.
-
Enter the following details:
-
Role name:
EntroRoleAWS(Must begin with "EntroRole") -
Description: Allows SailPoint Entro to assume a read-only role for AWS integration.
-
-
Click Create Role.
-
-
-
Review Trust Relationship
After the role is created, verify its Trust Relationship in the AWS Console. This defines the permission for SailPoint Entro to assume the role using the external ID.
Example JSON:
trust-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::<ENTRO_ACCOUNT_ID>:user/liminal-saas-assume-role" }, "Condition": { "StringEquals": { "sts:ExternalId": "<ENTRO_EXTERNAL_ID>" } } }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::<ENTRO_ACCOUNT_ID>:role/EntroTrustRole-<ENTRO_EXTERNAL_ID>" }, "Condition": { "StringEquals": { "sts:ExternalId": "<ENTRO_EXTERNAL_ID>" } } } ] } -
Confirm Role Creation
Return to IAM → Roles and verify:
-
Role name =
EntroRoleAWS -
Attached policy =
EntroReadOnlyAccess -
Trust relationship includes SailPoint Entro’s AWS Account ID and External ID
-
-
Retrieve Role ARN
-
Click on the created role.
-
Copy the Role ARN (e.g.
arn:aws:iam::123456789012:role/EntroRoleAWS). -
You’ll use this ARN in the next step to connect the role to SailPoint Entro.
-
Security Validation
- SailPoint Entro assumes this role using temporary credentials only.
- No write, delete, or modify actions are permitted.
- Role usage can be monitored in AWS CloudTrail for full traceability.