Documentation

AWS Identity Center - basic integration

Suggest Edits

How does it work?

  • Entitle connects to the root account of your organization by creating a dedicated IAM user with an attached policy.
Entitle Setup
  • From the root account, Entitle retrieves and manages the SSO users, groups, and permission sets.
  • In the sub-accounts, Entitle collects and manages permission sets.
AWS - Managed Resource Types
  • Permission Sets
    • When an access request gets approved - temporary access to the permission set will be added to the employees' management console.
    • When an access request expires - the temporary permission set will be removed.
  • SSO Groups
    • When an access request gets approved - the employee's account will be added to the SSO group.
    • When an access request expires - the employee's account will be removed from the SSO group.

General guidelines

👉🏼 In order to integrate AWS in Entitle, you will need to complete the following actions:

  • Create an IAM user with a trust relationship.
  • Create an access management policy, and attach it to the user created before.
  • Extract the SSO ARN and region.

📘

Note

The AWS integration can be set either using AWS CLI, or via the AWS Management Console.

Both options are described below, please choose your preferred method for setting up the integration.

Set up AWS to work with Entitle

There are 2 ways to integrate AWS with Entitle:

  1. Creating an IAM user.
  2. Setting up a pod-based identity by creating an Entitle role with a trust relationship.

AWS CLI (Command Line Interface)

AWS CLI Instructions

Prerequisites

  • A user which is an SSO admin, with AWS CLI on your device.

Stage 1: Setting up an IAM user and a management policy

  1. Create an IAM user:
aws iam create-user --user-name EntitleServiceAccount
  1. Create an access key and a secret for the IAM user, and copy the access key and secret key as you will use it later on this guide:
aws iam create-access-key --user-name EntitleServiceAccount
  1. Create an Entitle management policy based on the policy file in the URL attached, and copy the policy's ARN, as you will use it later on this guide:
curl -O https://entitle-public.s3.amazonaws.com/EntitleManagementPolicy.json

policy_arn=$(aws iam create-policy --policy-name EntitleManagementPolicy --policy-document file://EntitleManagementPolicy.json --query 'Policy.Arn' --output text)
  1. Attach the Entitle management policy to the Entitle IAM user:
aws iam  attach-user-policy --user-name EntitleServiceAccount --policy-arn $policy_arn

Stage 2: Retrieve the SSO information

  1. Get the SSO instance ARN, and copy it as you will use it later on this guide:
aws sso-admin list-instances --output text --query 'Instances[0].InstanceArn'
  1. Get the SSO instance region. You will use it later on this guide.

AWS management console

AWS Management Console Instructions

Stage 1: Setting up a management policy and an IAM user

In that stage, we will configure a policy that is required in order for Entitle to manage access to your AWS accounts. Later on in this guide, you will create an IAM user and attach this policy to it.

  1. Click IAM on the top left.
  2. Click Policies.
  3. Click Create Policy.
  4. In this window, click on the blue JSON button on the right.
  5. Paste the JSON below to the Policy editor.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AttachUserPolicy",
                "iam:CreateRole",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:DetachUserPolicy",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetSAMLProvider",
                "iam:UpdateSAMLProvider",
                "iam:ListAttachedRolePolicies",
                "iam:ListEntitiesForPolicy",
                "iam:ListPolicies",
                "iam:ListPolicyTags",
                "iam:ListPolicyVersions",
                "iam:ListRolePolicies",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "identitystore:CreateGroupMembership",
                "identitystore:DeleteGroupMembership",
                "identitystore:DescribeGroup",
                "identitystore:DescribeGroupMembership",
                "identitystore:DescribeUser",
                "identitystore:GetGroupId",
                "identitystore:GetGroupMembershipId",
                "identitystore:GetUserId",
                "identitystore:IsMemberInGroups",
                "identitystore:ListGroupMemberships",
                "identitystore:ListGroupMembershipsForMember",
                "identitystore:ListGroups",
                "identitystore:ListUsers",
                "organizations:ListAccounts",
                "sso-directory:DescribeUsers",
                "sso:AttachCustomerManagedPolicyReferenceToPermissionSet",
                "sso:AttachManagedPolicyToPermissionSet",
                "sso:CreateAccountAssignment",
                "sso:CreatePermissionSet",
                "sso:DeleteAccountAssignment",
                "sso:DeletePermissionSet",
                "sso:DescribeAccountAssignmentCreationStatus",
                "sso:DescribeAccountAssignmentDeletionStatus",
                "sso:DescribePermissionSet",
                "sso:DetachCustomerManagedPolicyReferenceFromPermissionSet",
                "sso:ListAccountAssignments",
                "sso:ListCustomerManagedPolicyReferencesInPermissionSet",
                "sso:ListInstances",
                "sso:ListPermissionSets",
                "sso:ListTagsForResource",
                "sso:TagResource",
                "sso:UntagResource",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:TagPolicy",
                "organizations:DescribeAccount"
            ],
            "Resource": "*"
        }
    ]
}
  1. Name that policy EntitleManagementPolicy.
  2. Click Save.
  3. Click IAM on the top left.
  4. Click Users.
  5. Click Create User.
  1. Name the user EntitleServiceAccount, and click Next.
  2. Choose the Attach policies directly option.
  1. Add the EntitleManagementPolicy policy created previously by searching and checking it.
  2. Click Next.
  3. Click Create User.
  4. Search for the newly created user, and click on it.
  5. Click Security Credentials.
  6. Scroll down, and click Create access key.
  7. Click Command Line Interface.
  8. Click Next, and then click Create.
  1. Copy the Access key and Secret access key, you will use them later on in the configuration.

📘

Note

You can also choose a pod-based identity instead of setting up a user.

In order to connect Entitle with your AWS app, please follow the steps below:

  • Create a new role.
  • Save that role's ARN aside, it will be used to configure your AWS integration under the field access_role_arn, see Configuration part below.
  • Assign the SSO Management Policy above to the role.
  • In order to set a secured connection between your AWS instance and Entitle, you are requested to set a trust relationship with Entitle - so Entitle will assume the roles you intend to manage. Please add the trust relationship below to the role you created:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::321183744702:role/entitle-prod-ichilov@entitle"
			},
			"Action": "sts:AssumeRole",
			"Condition": {}
		}
	]
}

Stage 2: Retrieve the SSO information

  1. Log in to your AWS account and navigate to your management account.
  2. Click IAM Identity Center on the top left.
  3. Click the Settings option on the left-side menu.
  4. Under the Details section, you will find the SSO instance ARN, and the region in which the SSO resides in.
  5. Copy both values, as you will use them later on in the configuration.

Entitle integration setup

All that is left to do is create an integration on the Entitle application.

  1. Log into Entitle and navigate to the Integrations page.

  2. After clicking the Add Integration button, type AWS in the Application field.

  3. Don’t forget to set the Save on field with your configuration, i.e. your own hosted agent or Entitle’s cloud.

  4. Under Connection choose SSO Multi-Account.

  5. Under the root_account configuration:

    1. Paste the access key and the secret access key created in Stage 1, to the access_key_id and secret_access_key respectively.
    2. Paste the region copied on Stage 2, to the region value.

  6. Under the options configuration:

    1. Paste the SSO instance ARN copied on Stage 2, to the sso_instance_arn value.
    2. Paste the Entitle permission set ARN copied on Stage 1, to the corresponding entitle_permission_set_arn value.

Example Connection JSON: 

{
  "root_account": {
    "access_key_id": "<ACCESS_KEY_ID>",
    "secret_access_key": "<SECRET_ACCESS_KEY>",
    "region": "us-east-1" # Replace with the region of your SSO
  },
  "sub_accounts": [],
  "options": {
    "sso_instance_arn": "<INSTANCE_ARN_OF_SSO_FEDERATION>",
    "tags": [],
    "resource_types": [
                "organizations:account",
                "sso:group"
    ]
  }
}
  1. Click Save, you are done!🎉

Updated about 1 month ago

What’s Next