Authorization

When you add an AWS SSO card to a Flow for the first time, you'll be prompted to configure the connection. This will enable you to connect your AWS SSO account, save your account information, and reuse the connection for future AWS SSO flows.

Tip

Tip

You can create multiple connections and manage them from your Connections page.

To create a new connection from an action card:

  1. Click New Connection.

  2. Enter a Connection Nickname. This is useful if you plan to create multiple AWS SSO connections to share with your team.

  3. Copy the ID from Account ID to the associated role's trust policy. See Providing access to AWS accounts owned by third parties.

  4. Copy the ID from External ID the associated role's trust policy. See Providing access to AWS accounts owned by third parties.

  5. Enter a Role Amazon Resource Name (ARN). See IAM Identifiers.

  6. Click Create.

Note

The role you create for AWS SSO operations must have an IAM policy attached to it that allows the actions in the following policy example:

 

{

    "Version": "2012-10-17",

    "Statement": [

        {

             "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": [

                "sso:ListAccountAssignments",

                "organizations:ListAccounts",

                "sso:ListPermissionSets",

                "sso:CreateAccountAssignment",

                "sso:ListInstances",

                "sso:DeleteAccountAssignment"

            ]

            "Resource": "*"

        }

    ]
}

Related topics

AWS SSO connector

About the elements of Okta Workflows

AWS Single Sign-On API Reference Guide