Learn about Amazon Web Services integration

Integrating your Amazon Web Services (AWS) instance with Okta lets your users authenticate to one or more AWS accounts and gain access to specific roles using single sign-on (SSO) with SAML. An Okta admin can download roles from one or more AWS accounts into Okta, and assign those accounts to users. In addition, an Okta admin can set the duration of the authenticated user sessions in Okta.

When signing in to AWS, users choose a role from a list of AWS roles assigned to them in one or more AWS accounts. This role defines their permissions for the authenticated session.

AWS account refers to an account in AWS and not to a user of the account.

The Okta AWS–SAML integration supports IdP-initiated SSO.

The Role attribute is used for the Federated User Login and Amazon IAM Role SSO modes. The Role attribute may also be used as a default value for SAML 2.0 if no SAML user roles are selected.

The SAML user roles attribute is used for SAML 2.0 as SAML supports multiple roles. If no values are selected for SAML user roles, then a value from the Role drop-down is used as a default role.

If you create another Identity and Access Management (IAM) role after setting up the API integration in Okta, the role is not automatically available in Okta. To get this role into Okta, on the Application tab, click More and then Refresh Application Data. The latest roles download along with profiles and groups from apps configured for user provisioning. Okta uses this data when creating new users in those apps.