AWS Multi-Account Access Authorization
When you add an AWS Multi-Account Access card to a flow for the first time, Okta prompts you to configure the connection to the relevant AWS IAM Identity Center account. After saving your account information, you can reuse the connection for future AWS Multi-Account Access flows.
You can create multiple connections and manage them from your Connections page.
To create a connection from an action card:
-
Click New Connection.
-
Enter a Connection Nickname. This is useful if you plan to create multiple AWS IAM Identity Center connections to share with your team.
-
Copy the ID from Account ID to the associated role's trust policy. See Providing access to AWS accounts owned by third parties.
-
Copy the ID from External ID to the associated role's trust policy. See Providing access to AWS accounts owned by third parties.
-
Enter a Role Amazon Resource Name (ARN). See IAM Identifiers.
-
Click Create.
The role that you create for AWS Multi-Account Access operations must have an attached IAM policy that allows the actions. The following code is an example of a configured policy.
{
"Version": "2012-10-17",
"Statement":
[
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action":
[
"sso:ListAccountAssignments",
"organizations:ListAccounts",
"sso:ListPermissionSets",
"sso:CreateAccountAssignment",
"sso:ListInstances",
"sso:DeleteAccountAssignment"
],
"Resource": "*"
}
]
}