About integrating multiple AWS instances

Note: Connecting multiple Amazon Web Services (AWS) accounts using the API is not supported.

This diagram illustrates the work flow you follow when you connect multiple Amazon Web Services (AWS) instances to Okta:

Set up AWS for SAML

Each of your AWS accounts must be configured for SAML access. To do this, you add Okta as a trusted IDP to the AWS account and then create a trust relationship for each role that permits access via the new IDP. These are the same steps you follow to provide SAML SSO into any single AWS account, but must be performed across all of your accounts. For advanced organizations, this process can be automated with Cloud Formation or AWS API scripts for a simple SAML setup in each account.

Create a management layer of groups in an external directory

Once SAML is configured, create AWS role groups in an external directory for each role and account you want users to be able to access using Okta. This can be completed using a script between AWS and an external directory, by exporting a CSV file to an external directory and scripting against the CSV file on the external directory side, or manually.

Next, create a link between the AWS role-specific groups and other external-directory groups by assigning management groups as Members Of the AWS role groups to which you want to grant them access. Assign users to the management groups to allow access to all of the AWS roles and accounts for which the management group is a member.

Configure the AWS app in Okta for group-based role assignment

In Okta, import both the external-directory management groups and role groups using the appropriate Okta external agent.

Next, assign your management groups to the AWS application you set up earlier. This assigns the proper users to the AWS app.

Lastly, set up group-based role assignment to translate the names of each of your AWS role groups into a format that AWS can consume in order to list user roles in the Role Picker Page.