> ## Documentation Index
> Fetch the complete documentation index at: https://hc.saas-manager.biz.nuro.jp/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS IAM Identity Center

> Instructions for integrating with AWS IAM Identity Center (AWS SSO).

## Supported Features

<Badge color="blue">Account Creation</Badge> <Badge color="blue">Account Deletion</Badge>

## Prerequisites

### Step 1: Creating a Policy for Integration

1. Go to [Identity and Access Management (IAM)](https://console.aws.amazon.com/iam), and click \[**Create policy**] from **Policies** in the left menu. For details, refer to [Creating IAM policies (external site)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html).

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698807178111-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=797c929a26703b7d461bcadbd226b45c" alt="IAM policy screen" width="3066" height="812" data-path="images/integrations/eujd10zuc3/1698807178111-image.png" />

2. On the Create policy screen, click the JSON tab and overwrite with the following script.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698807429788-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=d708525ef00ded3cadf5bee8d021d0d8" alt="Policy JSON edit screen" width="2990" height="1410" data-path="images/integrations/eujd10zuc3/1698807429788-image.png" />

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "identitystore:ListGroupMemberships",
                "sso:ListAccountAssignmentsForPrincipal",
                "organizations:ListAccounts",
                "sso:ListPermissionSets",
                "identitystore:ListUsers",
                "sso:ListInstances",
                "identitystore:ListGroups",
                "sso:DescribePermissionSet"
            ],
            "Resource": "*"
        }
    ]
}
```

3. Enter a name of your choice and click \[Create policy] to save. (No other fields are required.)

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698807683624-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=0b32ec17c483369705a1927fceaa70e2" alt="Policy creation complete" width="2998" height="1470" data-path="images/integrations/eujd10zuc3/1698807683624-image.png" />

### Step 2: Creating a Role for Integration

1. Go to [Identity and Access Management (IAM)](https://console.aws.amazon.com/iam), and click **Roles** > **Create role** from the left menu.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698807827541-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=b2f66b50c5ee09aac7ba3c0f14738634" alt="Role creation screen" width="3058" height="766" data-path="images/integrations/eujd10zuc3/1698807827541-image.png" />

2. On the Select trusted entity screen, enter the following values. When finished, click \[**Next**].

* Trusted entity type: Select **AWS account**
* AWS account: Select **Another AWS account** and enter `162001151631` as the account ID.
* Check **Require an external ID (Best practice when a third party will assume this role)**
* For External ID, enter `a random alphanumeric string (no symbols, 24+ characters recommended)`.
* Uncheck Require MFA.
* To add or remove users in Admina, grant [these permissions](#policies-controlling-access-create-update-delete) to the role.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698807993343-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=ada96926dc862998467aef8b4df97b01" alt="Role settings screen" width="2716" height="1650" data-path="images/integrations/eujd10zuc3/1698807993343-image.png" />

3. Select the policy created in Step 1, then click Next.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698808246586-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=bc84ad8b0fade4d4bb38f4608dbf2526" alt="Policy selection screen" width="1890" height="676" data-path="images/integrations/eujd10zuc3/1698808246586-image.png" />

4. Set any role name and click \[**Create role**]. (No other fields need to be edited.)

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698808668143-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=ae761b77f32e1c8ba7651d69e879cc47" alt="Role name settings screen" width="1838" height="355" data-path="images/integrations/eujd10zuc3/1698808668143-image.png" />

<h4 id="policies-controlling-access-create-update-delete">
  Setting Permissions to Create and Delete Customer-Managed Policies
</h4>

To add or remove users in Admina, grant the following permissions to the role.

For details, also refer to [Controlling access to policies for creating, updating, and deleting customer-managed policies (external site)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html).

```json theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "identitystore:CreateUser", 
                "identitystore:DeleteUser", 
                "identitystore:CreateGroupMembership" 
            ],
            "Resource": "*"
        }
    ]
}
```

### Step 3: Confirming the Role ARN

1. Search for and open the role you created on the Roles screen.
2. The **Role ARN** will be displayed. Copy and save it.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698805456434-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=f553c217394b3407ef9584f35d50fffd" alt="Role ARN confirmation screen" width="3026" height="780" data-path="images/integrations/eujd10zuc3/1698805456434-image.png" />

### Step 4: Confirming the Region and Workspace Key

Go to **IAM Identity Center > Settings** and copy and save the `Region` and `Identity store ID`.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698805146339-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=c6d5fa2ca4c7a107ededa9b016f1c174" alt="IAM Identity Center settings screen" width="3004" height="1460" data-path="images/integrations/eujd10zuc3/1698805146339-image.png" />

## Integration Setup

1. In Admina, go to Integrations > Integrations and search for **AWS IAM Identity Center**.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698804056336-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=566b274aa42ec8c520d131f9d38a70b2" alt="Admina integration screen" width="1407" height="498" data-path="images/integrations/eujd10zuc3/1698804056336-image.png" />

2. Enter the **workspace key**, **region**, **Role ARN**, and the **external ID** set during role creation obtained in the previous steps, then click Connect.

<img src="https://mintcdn.com/admina-sbn/1ks0vxXsJIfjtWJo/images/integrations/eujd10zuc3/1698805236794-image.png?fit=max&auto=format&n=1ks0vxXsJIfjtWJo&q=85&s=e951d9f671cda1fa3a50b24990906e64" alt="Integration details input screen" width="932" height="1616" data-path="images/integrations/eujd10zuc3/1698805236794-image.png" />

3. Once the integration with **AWS IAM Identity Center** is successful, registered user information will appear in the account list.

If it does not complete successfully, click **Edit** from the Status tab on the integrations screen and try again.

If the issue persists, please contact us via chat. For an overview of the AWS IAM Identity Center integration, see the [integration page](https://admina.moneyforward.com/en/integrations/aws-iam-identity-center).

## Manual Account Matching for SaaS Services Where Email Address Cannot Be Retrieved

Because email addresses cannot be retrieved for this service, user types are identified as "Unknown ID" in Directory > ID type.

If needed, manually match (merge) accounts with other accounts.

For configuration details, please contact us.
