After you configure Okta as the Amazon Web Services (AWS) account identity provider, you create or update existing IAM roles for Okta to retrieve and assign to users. Okta can only provide single sign-on (SSO) for users with roles that have been configured to grant access to the Okta SAML identity provider you configured in Add Okta as a trusted source for AWS roles.
- On the AWS Management Console, click Roles in the left pane.
- Click Create New Role.
- Click SAML 2.0 federation.
- Select Okta from the SAML provider drop-down list and then select Allow programmatic and AWS Management Console access.
- Click Next: Permissions.
- Select a permissions policy and click Next: Tags.
- Optional. Add descriptive tags for the role and click Next: Review.
- Enter a role name in the Role name field, add an optional description for the role, and click Create Role.
- Click the role name you created, click the Trust Relationship tab and then click Edit trust relationship.
- Select one of these options to permit Generate the AWS API access key SSO:
- If the policy document is empty, you can copy and paste the provided policy and replace
<COPY & PASTE SAML ARN VALUE HERE>with the Amazon Resource Name (ARN) value you copied from Add Okta as a trusted source for AWS roles.
"Federated": "<COPY & PASTE SAML ARN VALUE HERE>"
Modify your existing policy document to include Generate the AWS API access key SSO access. You need to include everything within the Statement code block — including the configurations for Effect, Principal, Actions, and Conditions. Replace
<COPY & PASTE SAML ARN VALUE HERE>with the ARN value you copied when you completed Add Okta as a trusted source for AWS roles.
- Click Update Trust Policy.