Connect an AWS account

This is an Early Access feature. To enable it, contact Okta Support.

AWS Server Discovery connects one or more AWS accounts to a project so Advanced Server Access can automatically add or remove AWS servers. A project can connect to multiple AWS accounts, but an AWS account can only be associated with a single project across all Advanced Server Access teams.

Advanced Server Access also uses an Okta-managed service account (referred to as an External ID) to interrogate your AWS accounts. These service accounts are unique to each connected cloud account and are used to discover active EC2 instances and any associated metadata. These accounts require minimal read permissions granted via an AWS IAM role. For more information on IAM roles, see the AWS documentation.

An AWS IAM role is required for Server Discovery and Cloud Auto-enrollment to work correctly.

  1. Identify your AWS account ID.
    1. Go to the Amazon Web Services management console
    2. At the top of the page, select the dropdown menu next to your profile name and click My Account.
    3. Under Account Settings, note your account ID number.
  2. Configure the project.
    1. Go to the Advanced Server Access admin console.
    2. Go to the Projects page and select a project for your server.
    3. Open the Enrollment tab.
    4. Click Link Cloud Account.
    5. From the Create Cloud Account window, configure the cloud account settings.
      SettingAction
      Cloud ProviderSelect Amazon Web Services.
      Account IDEnter the account ID you noted earlier.
      DescriptionEnter a description to help identify the connection.
      AWS ASA Account ID & External IDNote these values for use in the next step. These are related to an Okta-managed AWS service account and differ from your AWS Account ID.
      For details on using an External ID, see the AWS documentation.
  3. Identify your AWS account ID.
    1. In a new browser window, access the Amazon Web Services management console and open the IAM console.
      Note: Do not close the Create Cloud Account window.
    2. Go to the Roles page and click Create role.
    3. From the Create Role window, choose the Another AWS account role type.
    4. Under Account ID, enter the AWS ASA Account ID you noted from the previous step.
    5. Select Require external ID and enter the External ID you noted from the previous step.
    6. Click Next: Permissions.
    7. Grant AmazonEC2ReadOnlyAccess permissions to the role.
      Note: You can alternatively click Create Policy to create a new custom policy. Your custom policy must include the following: {"Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*"}
      For details, see the AWS documentation.
    8. Click Next: Tags.
    9. Click Next: Review.
    10. Review the settings and click Create role.
    11. Note the Amazon Resource Name (ARN) for later use.
  4. Return to the Advanced Server Access Create Cloud Account window.
  5. In the Role field, enter the ARN.
  6. Click Submit.

Advanced Server Access connects the cloud account to the project and discovers any active EC2 instances. The discovery process runs daily at roughly the same time the cloud account was originally connected. This continues until the cloud account is disconnected from the project.

You must install the Advanced Server Access server agent on an instance to actually enroll it in a project. Until the server is enrolled, users cannot connect to the server through Advanced Server Access and some server details may not sync correctly.

You can use an enrollment token from a different project, to redeploy the server from the AWS-connected project. This is sometimes done in situations where a server administrator for a discovered AWS server is part of an Advanced Server Access group associated with another project.

Next steps

Deploy an AWS server with an enrollment token