See how Ramp uses ConductorOne
ConductorOne

ConductorOne Docs

Amazon Web Services (AWS) connector

Integrations with the applications from which ConductorOne pulls identity data are called connectors.

Overview

Amazon Web Services (AWS) is a popular infrastructure cloud service provider. Given the nature of cloud infrastructure, AWS often contains sensitive data about customers, and is running infrastructure used for critical applications. ConductorOne connects to your AWS account to manage IAM Users, Roles, and Policies.

Availability

General availability. The AWS integration is available to all ConductorOne users.

Capabilities

  • Sync identities from AWS IAM Users to ConductorOne
  • Federated users authorization mapping

Known limitations

  • Cross-account Assume Role is not currently supported

Requirements

When connecting to your AWS environment, you will need:

  • Super Administrator role in ConductorOne
  • Ability to create an IAM Role in AWS
    • ConductorOne uses an IAM Trust relationship between your AWS Account and ConductorOne’s Service AWS Account.
    • This is the AWS recommended method of sharing access to AWS Accounts. ConductorOne has a specially created and isolated AWS Account dedicated to the AWS integration.
    • For advanced configurations, the only trusted entity should be the following ARN: arn:aws:iam::765656841499:role/ConductorOneService

Integrate your AWS account

Step 1: Get ConductorOne-provided External ID for AWS IAM Role

  1. Navigate to the ConductorOne Integrations page and click AWS.
  2. Copy and save the External ID populated in the External ID field (we’ll use this in Step 2).

Step 2: Create an AWS IAM Role for ConductorOne to use

  1. In a new browser tab, sign in to your AWS Account using your existing credentials or SSO.

  2. Navigate to the IAM Dashboard and select Roles » Create Role.

  3. Select Custom Trust Policy and paste the following into the Trust Policy JSON editor, replacing EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE with the value from Step 1.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::765656841499:role/ConductorOneService"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE"
            }
          }
        }
      ]
    }
    
  4. Click Next.

  5. Skip Add permissions and click Next.

  6. Give the role a name, such as ConductorOneIntegration.

  7. Add any Tags relevant to your Organization and click Create Role.

  8. Find the newly created role, and click on it to view the role details page.

  9. Under Permissions Policies, click Add Permissions and select Create Inline Policy.

  10. Switch to the JSON Editor tab and paste the following policy into the editor:

    {
      "Statement": [
        {
          "Action": [
            "iam:GetGroup",
            "iam:ListAccountAliases",
            "iam:ListGroups",
            "iam:ListRoles",
            "iam:ListUsers",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "identitystore:ListUsers",
            "organizations:ListAccounts",
            "sso:DescribePermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListInstances",
            "sso:ListPermissionSets",
            "sso:ListPermissionSetsProvisionedToAccount"
          ],
          "Effect": "Allow",
          "Resource": "*",
          "Sid": "ConductorOneReadAccess"
        }
      ],
      "Version": "2012-10-17"
    }
    
  11. Click Review Policy.

  12. Give the Policy a name, such as ConductorOnePermissions and click Create Policy.

  1. Copy the Role ARN for the Role we created, it should look like: arn:aws:iam::NNNNNNNNNN:role/ConductorOneIntegration (we’ll use this in Step 3).

Step 3: Integrate ConductorOne to your AWS instance

  1. Return to ConductorOne, click Integrations > AWS.
  2. Paste the AWS Role ARN you generated in Step 2 into the Role ARN field.
  3. Click Next.
  4. A new AWS page opens with your saved credentials.

That’s it! Your AWS instance is now integrated with ConductorOne.

Integrate using Terraform

As an alternative to the instructions above, use the following Terraform script to integrate your AWS instance with ConductorOne.

Step 1: Get ConductorOne-provided External ID for AWS IAM Role

  1. Log into ConductorOne.
  2. In the navigation panel click Integrations » AWS Connector.
  3. Copy and save the External ID populated in the External ID field (we’ll use this in Step 2.

Step 2: Use a Terraform script to set up the AWS integration

variable "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE" {
  description = "ConductorOne-provided External ID for AWS IAM Role from Step 1"
  type        = string
}

resource "aws_iam_role" "ConductorOneIntegration" {
  name = "ConductorOneIntegration"

  assume_role_policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Statement" : [
        {
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "arn:aws:iam::765656841499:role/ConductorOneService"
          },
          "Action" : "sts:AssumeRole",
          "Condition" : {
            "StringEquals" : {
              "sts:ExternalId" : var.EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE
            }
          }
        }
      ]
  })

  inline_policy {
    name = "ConductorOnePermissions"

    policy = jsonencode({
      "Statement" : [
        {
          "Action" : [
            "iam:GetGroup",
            "iam:ListAccountAliases",
            "iam:ListGroups",
            "iam:ListRoles",
            "iam:ListUsers",
            "identitystore:ListGroupMemberships",
            "identitystore:ListGroups",
            "identitystore:ListUsers",
            "organizations:ListAccounts",
            "sso:DescribePermissionSet",
            "sso:ListAccountAssignments",
            "sso:ListInstances",
            "sso:ListPermissionSets",
            "sso:ListPermissionSetsProvisionedToAccount"
          ],
          "Effect" : "Allow",
          "Resource" : "*",
          "Sid" : "ConductorOneReadAccess"
        }
      ],
      "Version" : "2012-10-17"
      }
    )
  }
}