Configure AWS Identity and Access Management for AI agent imports
To import AI agents from AWS Identity and Access Management (IAM), you need to create a permission policy that allows Okta to retrieve the app's AI agents. Then you need to apply that permission policy to your AWS IAM user account.
After you've completed these configurations, follow the steps in Enable AI agent imports for an app.
Create a permission policy
- Sign in to your AWS IAM tenant.
- Select .
- Set the username to
okta-ai-agent-import. - Select the user that you created in the previous step and click Permissions.
- Click Add inline policy.
- Go to the JSON tab.
- To configure the permission policy for both Amazon Bedrock Agents and Amazon Bedrock AgentCore, enter the following text:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OktaAIAgentImport", "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", "bedrock:GetAgent", "bedrock:ListAgents", "bedrock-agentcore:ListAgentRuntimes", "bedrock-agentcore:GetAgentRuntime" ], "Resource": "*" } ] } - To configure the permission policy for only Amazon Bedrock Agents, enter the following text:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OktaAIAgentImport", "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", "bedrock:GetAgent", "bedrock:ListAgents" ], "Resource": "*" } ] } - To configure the permission policy for only AWS Bedrock AgentCore, enter the following text:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OktaAIAgentImport", "Effect": "Allow", "Action": [ "sts:GetCallerIdentity", "bedrock-agentcore:ListAgentRuntimes", "bedrock-agentcore:GetAgentRuntime" ], "Resource": "*" } ] }
- To configure the permission policy for both Amazon Bedrock Agents and Amazon Bedrock AgentCore, enter the following text:
Generate an access key and secret access key
- In AWS IAM, select the user that you created in the previous section.
- Select .
- Copy the access key and secret access key and store them safely.
Next step