Config Schema
| Field | Type | Description | Secret |
|---|---|---|---|
sso_identity_store_id | string | the AWS SSO identity store ID | false |
sso_instance_arn | string | the AWS SSO instance ARN | false |
sso_region | string | the AWS SSO instance region | false |
sso_role_arn | string | The ARN of the AWS IAM Role with permission to administer SSO | false |
Docs
Access
This Access Provider provisions temporary account assignments for AWS IAM Identity Center Permission Sets. When making an access request, users will specify the following parameters:
| Parameter | Description |
|---|---|
account | the AWS account to access |
role | the role to access |
Getting started
Prerequisites
To use this Access Provider you'll need to have deployed Common Fate. You'll also need to download the cf CLI.
You will also need AWS credentials with the ability to deploy CloudFormation templates.
To use this Access Provider, you need to have AWS IAM Identity Center set up in your AWS Organization. Please contact us via Slack if you'd like to use this Access Provider, but are not using IAM Identity Center.
1. Deploy access roles
First, deploy the IAM roles below.
AWS SSO provisioning role
This role is used to list AWS resources including accounts, organizational units, and permission sets. It is also used to provision account assignments.
Deploy this role into the account with the log groups you wish to grant access to:
2. Deploy the Access Provider
To deploy this Access Provider, open a terminal window and assume an AWS role with access to deploy CloudFormation resources in the Common Fate account. Then, run:
cf provider deploy
and select the common-fate/aws Provider when prompted.
Need Help?
Join our Slack Community