--- title: AWS IAM Identity Center connector description: The AWS IAM Identity Center connector allows you to manage users and groups, as well as manage user group memberships between the AWS IAM identity center and IDM. You need an administrator account. component: openicf page_id: openicf:connector-reference:aws-iam-identity-center canonical_url: https://docs.pingidentity.com/openicf/connector-reference/aws-iam-identity-center.html section_ids: before_you_start: Before you start install_the_aws_iam_identity_center_connector: Install the AWS IAM Identity Center connector configure_the_aws_iam_identity_center_connector: Configure the AWS IAM Identity Center connector config-connection-pooling-aws-iam-identity-center: Configure connection pooling mapping: Mapping test_the_aws_iam_identity_center_connector: Test the AWS IAM Identity Center connector use_the_aws_iam_identity_center_connector: Use the AWS IAM Identity Center connector AWS_IAM_IDENTITY_CENTER_USERS: User create_user: Create user get_users: Get Users get_user: Get user get_user_by_filter: Get user by filter get_users_ids: Get users IDs update_user: Update user delete_user: Delete user AWS_IAM_IDENTITY_CENTER_GROUPS: GROUPS create_group: Create group get_groups: Get groups get_groups_ids: Get groups IDs get_group: Get group get_group_by_filter: Get group by filter update_a_group: Update a group delete_a_group: Delete a group implemented-interfaces-org-forgerock-openicf-connectors-awsiam-AwsIamConnector-1.5.20.33: OpenICF Interfaces Implemented by the AWS IAM Identity Center Connector config-properties-org-forgerock-openicf-connectors-awsiam-AwsIamConnector-1.5.20.33: AWS IAM Identity Center Connector Configuration basic-configuration-properties-org-forgerock-openicf-connectors-awsiam-AwsIamConnector-1.5.20.33: Basic Configuration Properties --- # AWS IAM Identity Center connector The AWS IAM Identity Center connector allows you to manage users and groups, as well as manage user group memberships between the AWS IAM identity center and IDM. You need an administrator account. ## Before you start Before you configure the connector, log in to your AWS administrator account in the web console and obtain the following data to be able to connect: `accessKey`, `secretKey`, `identityStoreId`, `region`, and `roleArn`. ## Install the AWS IAM Identity Center connector | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To check for an Advanced Identity Cloud application for this connector, refer to:- [Application management](https://docs.pingidentity.com/pingoneaic/latest/app-management/applications.html) - [App catalog](https://docs.pingidentity.com/pingoneaic/latest/app-management/app-catalog.html) | You can download any connector from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors), but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration. **Connector included in default deployment** | Connector | IDM | RCS | | ------------------------------------------------------- | ----------------------- | ----------------------- | | [AWS IAM Identity Center](aws-iam-identity-center.html) | [icon: times, set=fa]No | [icon: times, set=fa]No | Download the connector .jar file from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors). * If you're running the connector locally, place it in the `/path/to/openidm/connectors` directory, for example: ``` mv ~/Downloads/awsiam-connector-1.5.20.33.jar /path/to/openidm/connectors/ ``` * If you're using a remote connector server (RCS), place it in the `/path/to/openicf/connectors` directory on the RCS. ## Configure the AWS IAM Identity Center connector Create a connector configuration using the IDM admin UI: 1. From the navigation bar, click Configure > Connectors. 2. On the Connectors page, click New Connector. 3. On the New Connector page, type a Connector Name. 4. From the Connector Type list, select AWS IAM Identity Center Connector - 1.5.20.33. 5. Complete the Base Connector Details and any applicable Additional Options. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------- | | | For a list of all configuration properties, refer to [AWS IAM Identity Center Connector Configuration](#awsiam-config-prop-ezLink). | 6. Click Save. When your connector is configured correctly, the connector displays as Active in the admin UI. Refer to [this procedure](configure-connector.html#connector-wiz-REST) to create a connector configuration over REST. > **Collapse: Connection details** > > * `Access Key ID`: The access key ID is a globally unique IAM user identifier to access the AWS service API. > > * `Secret Key ID`: The secret key is a password to access the AWS service API. > > * `Role ARN`: Amazon Resource Name (ARN) for the role which has IAM Full Access permissions. > > * `Session Name`: A name used to uniquely identify a user session within the identity service. > > * `Credentials Expiration Time`: Time (in seconds) to configure the duration in which the temporary credentials would expire. The time must be between 900 and 3600 seconds. > > * `Region`: The region where the AWS instance is hosted. > > * `Identity Store ID`: Unique identifier associated with an identity store used by AWS IAM Identity Center. > > * `Max connections`: Max size of the http connection pool used. Optional. > > * `Connection Timeout (seconds)`: Defines a timeout for the http connection in seconds. Optional. > > * `ProxyHost`: Proxy server host. Optional. > > * `ProxyPort`: Proxy server port number. Optional. > > * `ReadRateLimit`: Limits the request rate for read operations. The recommended rate is 20/sec. > > * `WriteRateLimit`: Limits the request rate for write operations. The recommended rate is 10/sec. > **Collapse: Object Types** > > If necessary, add or edit your object types to have these three objects with their properties: > > > **Collapse: ** > > > > | PROPERTY NAME | TYPE | NATIVE TYPE | REQUIRED | > > | ------------------- | ------ | ----------- | -------- | > > | `_id` | String | String | NO | > > | `__NAME__` | String | String | YES | > > | `name` | Object | Object | YES | > > | `displayName` | String | String | YES | > > | `userType` | String | String | NO | > > | `profileUrl` | String | String | NO | > > | `title` | String | String | NO | > > | `preferredLanguage` | String | String | NO | > > | `locale` | String | String | NO | > > | `nickName` | String | String | NO | > > | `timezone` | String | String | NO | > > | `emails` | Array | Object | NO | > > | `phoneNumbers` | Array | Object | NO | > > | `addresses` | Array | Object | NO | > > | `externalIds` | Array | Object | NO | > > | `__GROUPS__` | Array | String | NO | > > > **Collapse: ** > > > > | PROPERTY NAME | TYPE | NATIVE TYPE | REQUIRED | > > | ------------- | ------ | ----------- | -------- | > > | `_id` | String | String | NO | > > | `__NAME__` | String | String | YES | > > | `description` | String | String | NO | > > | `externalIds` | Array | Object | NO | > > | | | > | - | -------------------------------------------------------------------------------------- | > | | The \_\_NAME\_\_ field represents the username for users and the groupName for groups. | If configuring the connector over REST or through the filesystem, specify the connection details to the AWS IAM Identity Center resource provider in the `configurationProperties` for the connector. The minimum required properties are `accessKey`, `secretKey`, `roleArn`, `roleSessionName`, `region`, and `identityStoreId`. > **Collapse: Sample Configuration** > > ```json > { > "configurationProperties": { > "accessKey": "ACCEES_KEY", > "secretKey": "xxxxxxxxxxxx", > "roleArn": "arn:aws:iam::000000000:role/USERNAME_ROLE", > "roleSessionName": "SESSION_NAME", > "region": "us-east-2", > "identityStoreId": "d-0a010101e0", > "sessionExpirationTime": 3600, > "proxyHost": null, > "proxyPort": null, > "proxyUsername": null, > "proxyPassword": null, > "connectionTimeout": null, > "maxConnections": null, > "readRateLimit": "20/sec", > "writeRateLimit": "10/sec" > } > } > ``` > > | | | > | - | ------------------------------------------------------ | > | | On startup, IDM encrypts the value of the `secretKey`. | ### Configure connection pooling The AWS IAM Identity Center connector uses a [non-poolable mechanism](pooling.html#non-poolable-connectors) to manage connections. Learn more about the different pooling mechanisms in [Connectors by pooling mechanism](pooling.html#pooling-table). ## Mapping > **Collapse: From AWS users to IDM or Advanced Identity Cloud users** > > Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ------------------- | ------------------- | --------------------- | > | `_id` | `_id` | N/A | > | `__NAME__` | `userName` | N/A | > | `displayName` | `displayName` | N/A | > | `timezone` | `timezone` | N/A | > | `nickname` | `nickname` | N/A | > | `title` | `title` | N/A | > | `locale` | `locale` | N/A | > | `preferredLanguage` | `preferredLanguage` | N/A | > | `profileUrl` | `profileUrl` | N/A | > | `userType` | `userType` | N/A | > | `name` | `name` | N/A | > | `phoneNumbers` | `phoneNumbers` | N/A | > | `addresses` | `addresses` | N/A | > | `emails` | `emails` | N/A | > | `externalIds` | `externalIds` | N/A | > | `__GROUPS__` | `groups` | N/A | > **Collapse: From IDM or Advanced Identity Cloud users to AWS users** > > Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ------------------- | ------------------- | --------------------- | > | `userName` | `__NAME__` | N/A | > | `displayName` | `displayName` | N/A | > | `timezone` | `timezone` | N/A | > | `nickname` | `nickname` | N/A | > | `title` | `title` | N/A | > | `locale` | `locale` | N/A | > | `preferredLanguage` | `preferredLanguage` | N/A | > | `profileUrl` | `profileUrl` | N/A | > | `userType` | `userType` | N/A | > | `name` | `name` | N/A | > | `phoneNumbers` | `phoneNumbers` | N/A | > | `addresses` | `addresses` | N/A | > | `emails` | `emails` | N/A | > | `__GROUPS__` | `groups` | N/A | > **Collapse: From AWS groups to IDM or Advanced Identity Cloud groups** > > Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ------------- | ------------- | --------------------- | > | `_id` | `_id` | N/A | > | `__NAME__` | `groupName` | N/A | > | `description` | `description` | N/A | > | `externalIds` | `externalIds` | N/A | > **Collapse: From IDM or Advanced Identity Cloud groups to AWS Groups** > > Attributes mapping table where the columns represent the attribute name mapped from source to target and the necessary data transformation to synchronize successfully. > > | SOURCE | TARGET | TRANSFORMATION SCRIPT | > | ------------- | ------------- | --------------------- | > | `__NAME__` | `groupName` | N/A | > | `description` | `description` | N/A | ## Test the AWS IAM Identity Center connector Test that the connector was configured correctly: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Accept-API-Version: resource=1.0' \ --request POST \ 'http://localhost:8080/system/awsiam?_action=test' { "name": "awsiam", "enabled": true, "config": "config/provisioner.openicf/awsiam", "connectorRef": { "bundleVersion": "1.5.20.33", "bundleName": "org.forgerock.openicf.connectors.awsiam-connector", "connectorName": "org.forgerock.openicf.connectors.awsiam.AwsIamConnector" }, "displayName": "AWS IAM IC Connector", "objectTypes": [ "__ACCOUNT__", "__ALL__", "__GROUP__" ], "ok": true } ``` ## Use the AWS IAM Identity Center connector ### User #### Create user To create a user in AWS IAM Identity Center, you must provide *at least* the `__NAME__`, `name` (givenName and familyName) and `displayName` fields. ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request POST \ --data '{ "__NAME__": "JohnDoe", "displayName": "John Doe", "locale": "US", "nickName": "JonnyDoe", "timezone": "UTC", "title": "Engineer", "profileUrl": "https://www.profile.com/jdoe", "userType": "USER", "preferredLanguage": "us-US", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Sr.", "honorificSufix": "PhD", "formatted": "Sr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "62701", "country": "USA", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "home", "value": "johndoe@example.com", "primary": true }, "phoneNumbers": { "type": "mobile", "value": "+0101010101", "primary": true }, "__GROUPS__": [ "groupId1", "groupId2", ] }' \ 'http://localhost:8080/system/awsiam/__ACCOUNT__?_action=create' { "_id" : " "userId", "__NAME__": "JohnDoe", "displayName": "John Doe", "locale": "US", "nickName": "JonnyDoe", "timezone": "UTC", "title": "Engineer", "profileUrl": "https://www.profile.com/jdoe", "userType": "USER", "preferredLanguage": "us-US", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Sr.", "honorificSufix": "PhD", "formatted": "Sr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "62701", "country": "USA", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "home", "value": "johndoe@example.com", "primary": true }, "phoneNumbers": { "type": "mobile", "value": "+0101010101", "primary": true }, "__GROUPS__": [ "groupId1", "groupId2", ] } ``` #### Get Users Return all users from AWS IAM Identity Center. ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__?_queryFilter=true' { "result": [ { "_id": "", "__NAME__": "jdoe", "displayName": "John Doe", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", }, "addresses": []. "emails": [], "phoneNumbers": [], "__GROUPS__": [ "groupId1", "groupId2" ] }, ... { "_id": "", "__NAME__": "jdoe", "displayName": "John Doe", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", }, "addresses": []. "emails": [], "phoneNumbers": [], "__GROUPS__": [ "groupId1", "groupId2" ] }, ], "resultCount": 999, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 } ``` | | | | - | ----------------------------------------------------------------- | | | To paginate the results, the maximum value of `_pageSize` is 100. | #### Get user Return a user from AWS IAM Identity Center. The user ID must be provided in the URI path: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__/USER_ID' { "_id" : " "userId", "__NAME__": "jdoe", "displayName": "John Doe", "locale": "en-US", "nickname": "Johnny", "timezone": "America/New_York", "title": "Software Engineer", "profileUrl": "https://www.profile.com/jdoe", "userType": "employee", "preferredLanguage": "en", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Sr.", "honorificSufix": "PhD", "formatted": "Sr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "62701", "country": "USA", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "work", "value": "john.doe@example.com", "primary": true }, "phoneNumbers": { "type": "mobile", "value": "+0101010101", "primary": true }, "__GROUPS__": [ "groupId1", "groupId2" ] } ``` #### Get user by filter Return a user from AWS IAM Identity Center: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT___queryFilter=__NAME__%20eq%20"name"' { "_id" : " "userId", "__NAME__": "jdoe", "displayName": "John Doe", "locale": "en-US", "nickname": "Johnny", "timezone": "America/New_York", "title": "Software Engineer", "profileUrl": "https://www.profile.com/jdoe", "userType": "employee", "preferredLanguage": "en", "name": { "givenName": "John", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Sr.", "honorificSufix": "PhD", "formatted": "Sr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "62701", "country": "USA", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "work", "value": "john.doe@example.com", "primary": true }, "phoneNumbers": { "type": "mobile", "value": "+0101010101", "primary": true }, "__GROUPS__": [ "groupId1", "groupId2" ] } ``` | | | | - | ------------------------------------------------------ | | | The \_\_NAME\_\_ field only supports the equal filter. | #### Get users IDs Return all users from AWS IAM Identity Center displaying only the `_id` field: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__?_queryId=query-all-ids' { "result": [ { "_id": "userID1" }, ... { "_id": userID2" } ], "resultCount": 999, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 } ``` #### Update user Update a user in AWS IAM Identity Center. The user ID must be provided in the URI path: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request PUT \ --data '{ "__NAME__": "JonnyDoe", "displayName": "Jonny Doe", "locale": "US", "nickName": "JonnyDoe", "timezone": "UTC", "title": "", "profileUrl": "https://www.profile.com/jonnydoe", "userType": "USER", "preferredLanguage": "us-US", "name": { "givenName": "Jonny", "middleName": "Michael", "familyName": "Doe", "honorificPrefix": "Jr.", "honorificSufix": "PhD", "formatted": "Jr. John Michael Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "60999", "country": "US", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails": { "type": "home", "value": "johndoe@example.com", "primary": true }, "phoneNumbers": { "type": "home", "value": "505050", "primary": true }, "__GROUPS__": [ "groupID1", "groupID2", ] }' \ 'http://localhost:8080/system/awsiam/__ACCOUNT__/USER_ID' { "_id" : "userId", "__NAME__" : "JonnyDoe", "displayName" : "Jonny Doe", "locale" : "US", "nickName" : "JonnyDoe", "timezone" : "UTC", "title" : "", "profileUrl" : "https://www.profile.com/jonnydoe", "userType" : "USER", "preferredLanguage" : "us-US", "name" : { "givenName" : "Jonny", "middleName" : "middleName", "familyName" : "Doe", "honorificPrefix" : "Jr", "honorificSufix" : "PhD", "formatted" : "Jr. John Doe, PhD" }, "addresses": { "type": "home", "streetAddress": "123 Main St", "locality": "Springfield", "region": "IL", "postalCode": "60999", "country": "US", "primary": true, "formatted": "123 Main St, Springfield, IL 62701, USA" }, "emails" : { "type" : "home", "value" : "johndoe@example.com", "primary" : true }, "phoneNumbers" : { "type" : "home", "value" : "505050", "primary" : true }, "__GROUPS__" : [ "groupID1", "groupID2", ] } ``` #### Delete user Delete a user in the AWS IAM Identity Center. The user ID must be provided in the URI path: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request DELETE \ 'http://localhost:8080/openidm/system/awsiam/__ACCOUNT__/USER_ID' { "_id" : "userId", "__NAME__" : "JohnDoe", "displayName" : "John Doe", "locale" : "US", "nickName" : "JonnyDoe", "timezone" : "UTC", "title" : "", "profileUrl" : "www.example.doe", "userType" : "USER", "preferredLanguage" : "us-US", "name" : { "givenName" : "John", "middleName" : "middleName", "familyName" : "Doe", "honorificPrefix" : "Sr", "honorificSufix" : "PhD", "formatted" : "Sr. John Doe, PhD" }, "addresses" : { "type" : "home", "streetAddress" : "false street", "locality" : "springfield", "region" : "north", "postalCode" : "0000", "country" : "US", "primary" : false, "formatted" : "no" }, "emails" : { "type" : "home", "value" : "testeruser@example.com", "primary" : true }, "phoneNumbers" : { "type" : "home", "value" : "505050", "primary" : true }, "__GROUPS__" : [ "groupID1", "groupID2", ] } ``` ### GROUPS #### Create group To create a group in AWS IAM Identity Center, it is necessary to *at least* provide the `__NAME__` field. The `description` field is optional: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request POST \ --data '{ "__NAME__" : "New Group", "description" : "Some description" }' \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__?_action=create' { "_id": "groupId", "description": "description", "__NAME__": "New Group", "externalIds": [] } ``` #### Get groups Return all groups from AWS IAM Identity Center. ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__?_queryFilter=true' { "result": [ { "_id": "groupId1", "__NAME__": "Display name group 1", "description": "description", "externalIds": [] }, ... { "_id": "groupId99", "__NAME__": "Display name group 99", "description": "description", "externalIds": [] } ], "resultCount": 99, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 } ``` | | | | - | ----------------------------------------------------------------- | | | To paginate the results, the maximum value of `_pageSize` is 100. | #### Get groups IDs Return all groups from AWS IAM Identity Center displaying only the `_id` field: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__?_queryId=query-all-ids' { "result": [ { "_id": "groupID1", }, ... { "_id": "groupID99", } ], "resultCount": 99, "pagedResultsCookie": null, "totalPagedResultsPolicy": "NONE", "totalPagedResults": -1, "remainingPagedResults": -1 } ``` #### Get group Return a group from AWS IAM Identity Center. The group ID must be provided in the URI path: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__/GROUP_ID' { "_id": "groupId", "description": "Some description", "__NAME__": "Group Name", "externalIds": [] } ``` #### Get group by filter Return a group from AWS IAM Identity Center: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request GET \ 'http://localhost:8080/openidm/system/awsiam/__GROUP___queryFilter=__NAME__%20eq%20"username"' { "_id": "groupId", "description": "Some description", "__NAME__": "Group Name", "externalIds": [] } ``` | | | | - | ------------------------------------------------------ | | | The \_\_NAME\_\_ field only supports the equal filter. | #### Update a group Update a group in AWS IAM Identity Center. The group ID must be provided in the URI path: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request PUT \ --header 'If-Match: *' \ --data '{ "__NAME__" : "New DisplayName", "description" : "New Description" }' \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__/GROUP_ID' { "_id": "groupId", "description": "New description", "__NAME__": "New DisplayName", "externalIds": [] } ``` #### Delete a group Delete a group in AWS IAM Identity Center. The group ID must be provided in the URI path: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header 'Content-Type: application/json' \ --request DELETE \ 'http://localhost:8080/openidm/system/awsiam/__GROUP__/GROUP_ID' { "_id": "groupId", "description": "description", "__NAME__": "deleted group", "externalIds": [] } ``` ## OpenICF Interfaces Implemented by the AWS IAM Identity Center Connector The AWS IAM Identity Center Connector implements the following OpenICF interfaces. For additional details, see [ICF interfaces](interfaces.html): * Create Creates an object and its `uid`. * Delete Deletes an object, referenced by its `uid`. * Schema Describes the object types, operations, and options that the connector supports. * Script on Connector Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics: * The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access. * The script has access to a `connector` variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. * The script has access to any script arguments passed in by the application. * Search Searches the target resource for all objects that match the specified object class and filter. * Test Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid. This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out). You can invoke the test operation before a connector configuration has been validated. * Update Updates (modifies or replaces) objects on a target resource. []() ## AWS IAM Identity Center Connector Configuration The AWS IAM Identity Center Connector has the following configurable properties: ### Basic Configuration Properties | Property | Type | Default | Encrypted(1) | Required(2) | | ---------------------------------------------------------------------------------------------------------------------- | --------------- | ------- | ------------------------ | ------------------------- | | `accessKey` | `String` | `null` | | [icon: check, set=fas]Yes | | Provides the Access Key ID to access the AWS IAM IC Service API. | | | | | | `secretKey` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: check, set=fas]Yes | | Provides the Secret Key ID to access the AWS IAM IC Service API. | | | | | | `roleArn` | `String` | `null` | | [icon: check, set=fas]Yes | | Provides the Amazon Resource Name specifying the Role. | | | | | | `roleSessionName` | `String` | `null` | | [icon: check, set=fas]Yes | | Temporary name for the role session. | | | | | | `region` | `String` | `null` | | [icon: check, set=fas]Yes | | Provides the Regions. | | | | | | `identityStoreId` | `String` | `null` | | [icon: check, set=fas]Yes | | Provides the identity store ID for the user and group store. | | | | | | `sessionExpirationTime` | `Integer` | `3600` | | [icon: check, set=fas]Yes | | Provides the temporary Session expiration time in seconds. | | | | | | `proxyHost` | `String` | `null` | | [icon: times, set=fas]No | | Provides the Proxy Host. | | | | | | `proxyPort` | `String` | `null` | | [icon: times, set=fas]No | | Provides the Proxy Port. | | | | | | `proxyUsername` | `String` | `null` | | [icon: times, set=fas]No | | Provides the Proxy Username. | | | | | | `proxyPassword` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: times, set=fas]No | | Provides the Proxy Password. | | | | | | `connectionTimeout` | `Integer` | `null` | | [icon: times, set=fas]No | | Provides the Maximum Connection Timeout in seconds. | | | | | | `maxConnections` | `Integer` | `null` | | [icon: times, set=fas]No | | Provides the number of Maximum Connections. | | | | | | `readRateLimit` | `String` | `null` | | [icon: check, set=fas]Yes | | Defines throttling for read operations either per seconds (`30/sec`) or per minute (`100/min`). | | | | | | `writeRateLimit` | `String` | `null` | | [icon: check, set=fas]Yes | | Defines throttling for write operations (create/update/delete) either per second (`30/sec`) or per minute (`100/min`). | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations.