Learn about Amazon Web Services integration

When you integrate your Amazon Web Services (AWS) instance with Okta, users can authenticate to one or more AWS accounts. They also gain access to specific Identity and Access Management (IAM) roles using single sign-on (SSO) with SAML. An Okta admin can import roles from one or more AWS accounts into Okta and assign those accounts to users. Admins can also set the duration of the authenticated user sessions in Okta.

Important Note

An AWS account refers to an account in AWS and not to a user of the account.

When signing in to AWS, users choose a role from a list of AWS roles assigned to them in one or more AWS accounts. This role defines their permissions for the authenticated session.

The Role attribute is used for the Federated User Login and Amazon IAM Role SSO modes. The Role attribute may also be used as a default value for SAML 2.0 if no SAML user roles are selected.

The SAML user roles attribute is used for SAML 2.0 as SAML supports multiple roles. If no values are selected for SAML user roles, then a value from the Role drop-down is used as a default role. The Okta AWS–SAML integration supports IdP-initiated SSO.

If you create another IAM role after setting up the API integration in Okta, the role is not automatically available in Okta. To make this role available in Okta, select ApplicationMoreRefresh Application Data. The latest roles download along with profiles and groups from apps configured for user provisioning. Okta uses this data when creating users in those apps.

Related topics

Connect Okta to a single Amazon Web Services instance

Connect Okta to multiple Amazon Web Services instances