Authorization

When you add an card to a flow for the first time, Okta prompts you to configure the connection to the relevant AWS IAM Identity Center account. After saving your account information, you can reuse the connection for future flows.

You can create multiple connections and manage them from your Connections page.

To create a connection from an action card:

  1. Click New Connection.

  2. Enter a Connection Nickname. This is useful if you plan to create multiple AWS IAM Identity Center connections to share with your team.

  3. Copy the ID from Account ID to the associated role's trust policy. See Providing access to AWS accounts owned by third parties.

  4. Copy the ID from External ID to the associated role's trust policy. See Providing access to AWS accounts owned by third parties.

  5. Enter a Role Amazon Resource Name (ARN). See IAM Identifiers.

  6. Click Create.

The role that you create for operations must have an attached IAM policy that allows the actions. The following code is an example of a configured policy.

Copy 
{
    "Version": "2012-10-17",
    "Statement": 
        [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": 
                    [
                    "sso:ListAccountAssignments",
                    "organizations:ListAccounts",
                    "sso:ListPermissionSets",
                    "sso:CreateAccountAssignment",
                    "sso:ListInstances",
                    "sso:DeleteAccountAssignment"
                    ],
                    "Resource": "*"
            }
        ]
}

Related topics

AWS Multi-Account Access connector

Workflow elements

AWS IAM Identity Center API Reference Guide