--- title: Amazon Web Services (AWS) connector description: Amazon Web Services (AWS) Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. The AWS connector lets you manage and synchronize accounts between AWS and IDM managed user objects. You can also search, assign, and unassign certain other objects from AWS. component: openicf page_id: openicf:connector-reference:aws-iam canonical_url: https://docs.pingidentity.com/openicf/connector-reference/aws-iam.html section_ids: before_you_start: Before you start install_the_aws_connector: Install the AWS connector configure_the_aws_connector: Configure the AWS connector test_the_aws_connector: Test the AWS connector aws_remote_connector: AWS remote connector config-connection-pooling-aws-iam: Configure connection pooling supported_resource_types: Supported resource types supported_search_filters: Supported search filters supported_attributes: Supported attributes aws_account_user_attributes: AWS account (user) attributes aws_group_attributes: AWS group attributes aws_role_attributes: AWS role attributes aws_managed_policy_attributes: AWS managed policy attributes aws_inline_policy_attributes: AWS inline policy attributes aws_service_control_policy_scp_attributes: AWS Service Control Policy (SCP) attributes aws_organizational_unit_ou_attributes: AWS Organizational Unit (OU) attributes use_the_aws_connector: Use the AWS connector user_account_operations: User account operations create_an_aws_user: Create an AWS user update_an_aws_user: Update an AWS user assign_other_objects_to_a_user: Assign other objects to a user unassign_other_objects_from_a_user: Unassign other objects from a user query_aws_users: Query AWS users reset_an_aws_user_account_password: Reset an AWS user account password delete_an_aws_user_account: Delete an AWS user account other_object_type_operations: Other object type operations query_aws_groups: Query AWS Groups query_aws_roles: Query AWS Roles query_aws_managed_policies: Query AWS Managed Policies query_aws_inline_policies: Query AWS Inline Policies query_aws_service_control_policies_scps: Query AWS Service Control Policies (SCPs) query_aws_organizational_units: Query AWS organizational units implemented-interfaces-org-forgerock-openicf-connectors-aws-AwsConnector-1.5.20.34: OpenICF Interfaces Implemented by the AWS Connector config-properties-org-forgerock-openicf-connectors-aws-AwsConnector-1.5.20.34: AWS Connector Configuration basic-configuration-properties-org-forgerock-openicf-connectors-aws-AwsConnector-1.5.20.34: Basic Configuration Properties --- # Amazon Web Services (AWS) connector Amazon Web Services (AWS) Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. The AWS connector lets you manage and synchronize accounts between AWS and IDM managed user objects. You can also search, assign, and unassign certain other objects from AWS. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To use this connector, you must have an AWS administrator account with proper access to AWS as described in the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/APIReference/welcome.html). | ## Before you start Before you configure the connector, log in to your AWS administrator account and note the following: * Access Key ID The AWS access key ID for the IAM user whose credentials are used to call AWS APIs. * Secret Key ID The AWS secret access key associated with the access key ID. * Role ARN The Amazon Resource Name (ARN) for the role. * Credentials Expiration Time (in seconds) to configure the duration in which the temporary credentials expire. Optional. Default: `3600`. * Region The host region of the AWS instance. * Parent ID The unique identifier assigned to the parent entity in the AWS Organization hierarchy. Required for Organizational Unit operations. * UserName The unique name of a user. Required specifically for retrieving inline policies associated with that user. ## Install the AWS connector | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To check for an Advanced Identity Cloud application for this connector, refer to:- [Application management](https://docs.pingidentity.com/pingoneaic/latest/app-management/applications.html) - [App catalog](https://docs.pingidentity.com/pingoneaic/latest/app-management/app-catalog.html) | You can download any connector from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors), but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration. **Connector included in default deployment** | Connector | IDM | RCS | | ----------------------------------------- | ----------------------- | ----------------------- | | [Amazon Web Services (AWS)](aws-iam.html) | [icon: times, set=fa]No | [icon: times, set=fa]No | Download the connector .jar file from [Backstage](https://backstage.forgerock.com/downloads/browse/idm/featured/connectors). * If you're running the connector locally, place it in the `/path/to/openidm/connectors` directory, for example: ``` mv ~/Downloads/aws-connector-1.5.20.34.jar /path/to/openidm/connectors/ ``` * If you're using a remote connector server (RCS), place it in the `/path/to/openicf/connectors` directory on the RCS. ## Configure the AWS connector Create a connector configuration using the IDM admin UI: 1. From the navigation bar, click Configure > Connectors. 2. On the Connectors page, click New Connector. 3. On the New Connector page, type a Connector Name. 4. From the Connector Type list, select AWS Connector - 1.5.20.34. 5. Complete the Base Connector Details and any applicable Additional Options. | | | | - | ------------------------------------------------------------------------------------------------------------ | | | For a list of all configuration properties, refer to [AWS Connector Configuration](#aws-config-prop-ezLink). | 6. Click Save. When your connector is configured correctly, the connector displays as Active in the admin UI. Refer to [this procedure](configure-connector.html#connector-wiz-REST) to create a connector configuration over REST. ### Test the AWS connector Test that the configuration is correct by running the following command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system/aws?_action=test" { "name": "aws", "enabled": true, "config": "config/provisioner.openicf/aws", "connectorRef": { "bundleVersion": "[1.5.0.0,1.6.0.0)", "bundleName": "org.forgerock.openicf.connectors.aws-connector", "connectorName": "org.forgerock.openicf.connectors.aws.AwsConnector" }, "displayName": "AWS Connector", "objectTypes": [ "__ACCOUNT__", "__GROUP__", "__ROLE__", "__MANAGEDPOLICY__", "__INLINEPOLICY__", "__SERVICECONTROLPOLICY__", "__ORGUNIT__" ], "ok": true } ``` If the command returns `"ok": true`, your connector has been configured correctly and can authenticate to the AWS system. ### AWS remote connector If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the AWS connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM. You can download the AWS connector [from here](https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors). Refer to [Remote connectors](remote-connector.html) for configuring the AWS remote connector. ### Configure connection pooling The AWS connector uses [connector-specific pooling](pooling.html#connector-specific-pooling) to manage connections. Learn more about the different pooling mechanisms in [Connectors by pooling mechanism](pooling.html#pooling-table). ## Supported resource types The connector maps the following ICF native types to AWS resource types: | ICF Native Type | AWS Resource Type | Naming Attribute | | -------------------------- | ---------------------- | ------------------------------------------------------------------------------- | | `__ACCOUNT__` | User | `__NAME__` | | `__GROUP__` | Group | `__NAME__` | | `__ROLE__` | Role | `__NAME__` | | `__MANAGEDPOLICY__` | Managed Policy | `__NAME__`Maps to PolicyArn | | `__INLINEPOLICY__` | Inline Policy | `__NAME__`Maps to PolicyName | | `__SERVICECONTROLPOLICY__` | Service Control Policy | `__NAME__`Maps to PolicyId | | `__ORGUNIT__` | Organizational Unit | `__NAME__`Maps to ParentId or Organizational Unit Name/Arn depending on context | ## Supported search filters The AWS connector supports search operations with the following filter operators and attributes: | Object Type | Operator | Attributes | | -------------------------- | ------------- | -------------------------------- | | `__ACCOUNT__` | Equals filter | `Path`, `UserName` (`__NAME__`) | | `__GROUP__` | Equals filter | `Path`, `GroupName` (`__NAME__`) | | `__ROLE__` | Equals filter | `Path`, `RoleName` (`__NAME__`) | | `__MANAGEDPOLICY__` | Equals filter | `Path`, `PolicyArn` (`__NAME__`) | | `__INLINEPOLICY__` | Equals filter | `PolicyName` (`__NAME__`) | | `__SERVICECONTROLPOLICY__` | Equals filter | `PolicyId` (`__NAME__`) | | `__ORGUNIT__` | Equals filter | `ParentId` (`__NAME__`) | ## Supported attributes The AWS connector supports the following attributes. ### AWS account (user) attributes The AWS connector supports the following AWS account attributes: | Attribute | Description | | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `UserName` | The name of the user. Required. Can contain up to 64 letters, digits, and the characters `+`, `=`, `,`, `.`, `@`, `_`, `-`. Must be unique within the account. | | `UserId` | Auto-generated unique user ID. Read-only. | | `Path` | The path for the user. Used to create a folder-like hierarchy. Default value is `/`. | | `Password` | Password for the user's console login profile. Write-only. | | `Arn` | Amazon Resource Names (ARNs) uniquely identify the AWS resource. Read-only. | | `CreatedDate` | Date the user was created, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601). Read-only. | | `PasswordLastUsed` | Date the user's password was last used for login. Read-only. | | `PermissionBoundary` | The ARN of the policy used to set the permissions boundary for the user. | | `Tags` | A list of customizable key-value pairs attached to the user. For example:```json "Tags": [{ "Key": "Department", "Value": "Accounting" }] ```Learn more about [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the AWS documentation. | | `Group` | List of group names the user belongs to. | | `ManagedPolicy` | List of managed policy ARNs attached to the user. | | `InlinePolicy` | List of inline policies embedded in the user. Each item contains `PolicyName` and `PolicyDocument`. | | `Role` | List of roles assigned to the user. Each item contains `RoleName` and potentially `PolicyArn`. | ### AWS group attributes | Attribute | Description | | ----------- | ------------------------------------------------------------------------------------------------ | | `GroupName` | Name of the group. Required. | | `GroupId` | Auto-generated unique group ID. Read-only. | | `Arn` | Amazon Resource Name (ARN) uniquely identifies the group resource. Read-only. | | `Path` | The path for the group. Used to create a folder-like hierarchy. Default value is `/`. Read-only. | ### AWS role attributes | Attribute | Description | | -------------------------- | ----------------------------------------------------------------------------------------------- | | `RoleName` | Name of the Role. Required. | | `RoleId` | Auto-generated unique role ID. Read-only. | | `Path` | The path for the role. Used to create a folder-like hierarchy. Default value is `/`. Read-only. | | `Arn` | Amazon Resource Name (ARN) uniquely identifies the role resource. Read-only. | | `CreateDate` | Date the role was created. Read-only. | | `AssumeRolePolicyDocument` | The trust policy document associated with the role. Read-only. | ### AWS managed policy attributes | Attribute | Description | | ------------------------------- | -------------------------------------------------------------------------------------------------------------- | | `PolicyArn` | The Amazon Resource Name (ARN) uniquely identifies the Managed Policy. Required for identification. Read-only. | | `PolicyId` | Auto-generated unique policy ID. Read-only. | | `PolicyName` | Name of the policy. Read-only. | | `Path` | The path for the policy. Used to create a folder-like hierarchy. Default value is `/`. Read-only. | | `CreateDate` | Date the policy was created. Read-only. | | `AttachmentCount` | Number of entities (users, groups, roles) attached to the policy. Read-only. | | `IsAttachable` | Whether the policy can be attached to users, groups, or roles. Read-only. | | `DefaultVersionId` | The identifier for the default version of the policy. Read-only. | | `PermissionsBoundaryUsageCount` | Number of entities using this policy as a permissions boundary. Read-only. | | `UpdateDate` | Date the policy was last updated. Read-only. | ### AWS inline policy attributes | Attribute | Description | | ---------------- | ------------------------------------------------------------------------------- | | `PolicyName` | Name of the inline policy. Required. | | `UserName` | Name of the user the inline policy is attached to. Required for identification. | | `PolicyDocument` | The policy document. | ### AWS Service Control Policy (SCP) attributes | Attribute | Description | | --------------- | ---------------------------------------------------------------------------------------- | | `Id` | The unique identifier (ID) of the SCP. Required for identification. Read-only. | | `PolicyName` | Name of the SCP. Read-only. | | `PolicySummary` | Object containing details like Arn, Type, Description, and AwsManaged status. Read-only. | ### AWS Organizational Unit (OU) attributes | Attribute | Description | | --------------------- | ----------------------------------------------------------------------------------------------------- | | `ParentId` | The unique identifier (ID) of the parent entity (root or OU). Required for identification. Read-only. | | `OrganizationalUnits` | List of OU objects, each containing `Name` and `Arn`. Read-only. | ## Use the AWS connector You can use the AWS connector to perform create, read, update, and delete (CRUD) operations on AWS IAM objects. ### User account operations #### Create an AWS user The following example creates a user with the minimum required attributes: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request POST \ --data '{ "__NAME__": "bjensen" }' \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__?_action=create" ``` Response ```json { "_id": "bjensen", "Path": "/", "UserId": "AIDAW3FY74V57KNBRIDU6", "__NAME__": "bjensen", "Arn": "arn:aws:iam::470686885243:user/bjensen", "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022" } ``` The following example creates a user with all assignable attributes: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request POST \ --data '{ "__NAME__": "jdoe", "Path": "/engineering/", "__PASSWORD__": "P@ssw0rd123!", "PermissionsBoundary": "arn:aws:iam::aws:policy/PowerUserAccess", "Tags": [{ "Key": "Project", "Value": "Phoenix" }], "__GROUP__": ["developers"], "__MANAGEDPOLICY__": ["arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"], "__ROLE__": [{"RoleName": "EC2InstanceRole"}], "__INLINEPOLICY__": [{ "PolicyName": "S3BucketAccess", "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" }] } }] }' \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__?_action=create" ``` Response: ```json { "_id": "jdoe", "CreatedDate": "Fri May 02 13:00:00 PDT 2025", "Arn": "arn:aws:iam::123456789012:user/engineering/jdoe", "__INLINEPOLICY__": [ { "PolicyName": "S3BucketAccess" } ], "__NAME__": "jdoe", "__GROUP__": [ "developers" ], "Path": "/engineering/", "__ROLE__": [ { "RoleName": "EC2InstanceRole" } ], "PermissionsBoundary": "arn:aws:iam::aws:policy/PowerUserAccess", "__MANAGEDPOLICY__": [ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess" ], "Tags": [ { "Project": "Phoenix" } ], "UserId": "AIDACKCEVSQ6C2EXAMPLE" } ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | * You must specify at least `__NAME__` when creating a user. * Usernames can be up to 64 characters long and include letters, digits, and `+ = , . @ _ -`. * []()Assigning roles (`__ROLE__`) during user creation is informational in IAM; roles are assumed, not directly assigned like groups or policies. The connector reflects attached policies for consistency but doesn't perform role assignment in the AWS sense. | #### Update an AWS user Modify an existing user with a PUT request. Include all attributes you want the user to have; attributes not included in the PUT request might be removed or reset depending on the target system behavior (often equivalent to PATCH for specific fields like Tags, Group, Policy, Role additions/removals). Modifiable attributes: * `__NAME__` (Requires specifying the old ID in the URL) * `__PASSWORD__` (Use PATCH for password changes) * `Path` * `PermissionsBoundary` * `Tags` * `__GROUP__` * `__MANAGEDPOLICY__` * `__INLINEPOLICY__` * `__ROLE__` (Reference the [note in Create an AWS user](#role-note-create)) For example, to add a new tag to a user: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --header "If-Match:*" \ --request PUT \ --data '{ "__NAME__": "bjensen", "Tags": [{ "Key": "Project", "Value": "Meteor" }] }' \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" { "_id": "bjensen", "Path": "/", "UserId": "AIDAW3FY74V57KNBRIDU6", "__NAME__": "bjensen", "Arn": "arn:aws:iam::470686885243:user/bjensen", "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", "Tags": [ { "Project": "Meteor" } ] } ``` #### Assign other objects to a user Use PATCH or PUT to add groups, managed policies, inline policies, or roles to a user. Example using PATCH to add a group and a managed policy: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --header "If-Match:*" \ --request PATCH \ --data '[ {"operation": "add", "field": "__GROUP__", "value": ["qa-team"]}, {"operation": "add", "field": "__MANAGEDPOLICY__", "value": ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]} ]' \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__/jdoe" ``` #### Unassign other objects from a user Use PATCH or PUT to remove groups, managed policies, inline policies, or roles from a user. Example using PATCH to remove a group and an inline policy: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --header "If-Match:*" \ --request PATCH \ --data '[ {"operation": "remove", "field": "__GROUP__", "value": ["frontend-devs"]}, {"operation": "remove", "field": "__INLINEPOLICY__", "value": [{"PolicyName": "S3BucketAccess"}]} ]' \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__/jdoe" ``` #### Query AWS users The following example queries all AWS users: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request GET \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__?_queryId=query-all-ids" { "result": [ { "_id": "bjensen" }, { "_id": "frank@example.com" }, { "_id": "testFR4User" }, { "_id": "testFR5User" }, { "_id": "testFR6User" } ], …​ } ``` The following command queries a specific user by their ID: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request GET \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" { "_id": "bjensen", "Path": "/", "UserId": "AIDAW3FY74V57KNBRIDU6", "__NAME__": "bjensen", "Arn": "arn:aws:iam::470686885243:user/bjensen", "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", "Tags": [ { "Project": "Meteor" } ] } ``` #### Reset an AWS user account password ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --header "if-Match:*" \ --request PATCH \ --data '[{ "operation": "add", "field": "__PASSWORD__", "value": "Passw0rd@123!" }]' \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" { "_id": "bjensen", "Path": "/", "UserId": "AIDAW3FY74V57KNBRIDU6", "__NAME__": "bjensen", "Arn": "arn:aws:iam::470686885243:user/bjensen", "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", "Tags": [ { "Project": "Meteor" } ] } ``` | | | | - | ----------------------------------------------------------------------------------------------- | | | While the `__PASSWORD__` field is not returned in the response, the user's password is updated. | #### Delete an AWS user account Use a DELETE request to remove a user from AWS IAM. ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Content-Type: application/json" \ --request DELETE \ "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" { "_id": "bjensen", "Path": "/", "UserId": "AIDAW3FY74V57KNBRIDU6", "__NAME__": "bjensen", "Arn": "arn:aws:iam::470686885243:user/bjensen", "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", "Tags": [ { "Project": "Meteor" } ] } ``` ### Other object type operations A similar query pattern applies to groups, roles, managed policies, inline policies, service control policies, and organizational units using their respective object types (`GROUP`, `ROLE`, and so on.) in the request URL. For example, `_queryFilter=True` to return all applicable objects, and using the specific object ID to return a particular object. #### Query AWS Groups Query all groups: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__GROUP__?_queryFilter=True" ``` Response ```json { "result": [ { "_id": "forge", "Path": "/", "__NAME__": "forge", "GroupId": "AGPAW3FY74V5TAMVGJTDO", "GroupName": "forge", "Arn": "arn:aws:iam::470686885243:group/forge" }, { "_id": "IAMAdministrator", "Path": "/", "__NAME__": "IAMAdministrator", "GroupId": "AGPAW3FY74V5XKCZVOQI5", "GroupName": "IAMAdministrator", "Arn": "arn:aws:iam::470686885243:group/IAMAdministrator" }, { "_id": "SuperUser", "Path": "/", "__NAME__": "SuperUser", "GroupId": "AGPAW3FY74V5XANUBMNXT", "GroupName": "SuperUser", "Arn": "arn:aws:iam::470686885243:group/SuperUser" }, { "_id": "TempGroup", "Path": "/", "__NAME__": "TempGroup", "GroupId": "AGPAW3FY74V5RBM7LKG5S", "GroupName": "TempGroup", "Arn": "arn:aws:iam::470686885243:group/TempGroup" }, { "_id": "Windows_Access", "Path": "/", "__NAME__": "Windows_Access", "GroupId": "AGPAW3FY74V57Z7SG3GRY", "GroupName": "Windows_Access", "Arn": "arn:aws:iam::470686885243:group/Windows_Access" } ], ... } ``` Query a specific group: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__GROUP__/developers" ``` Response ```json { "_id": "developers", "Path": "/", "__NAME__": "developers", "GroupId": "AGPACKCEVSQ6C2EXAMPLE", "GroupName": "developers", "Arn": "arn:aws:iam::123456789012:group/developers" } ``` #### Query AWS Roles Query all roles: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__ROLE__?_queryFilter=True" ``` Response ```json { "result": [ { "_id": "Adminrole", "CreatedDate": "Fri Mar 08 13:24:10 IST 2024", "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%2C%22Condition%22%3A%7B%7D%7D%5D%7D", "__NAME__": "Adminrole", "Path": "/", "RoleArn": "arn:aws:iam::470686885243:role/Adminrole", "RoleName": "Adminrole", "RoleId": "AROAW3FY74V5XMWBZPK5U" }, { "_id": "aws-quicksight-secretsmanager-role-v0", "CreatedDate": "Fri Jan 26 23:37:52 IST 2024", "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22quicksight.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D", "__NAME__": "aws-quicksight-secretsmanager-role-v0", "Path": "/service-role/", "RoleArn": "arn:aws:iam::470686885243:role/service-role/aws-quicksight-secretsmanager-role-v0", "RoleName": "aws-quicksight-secretsmanager-role-v0", "RoleId": "AROAW3FY74V54P5FRC3ZC" }, ... ] } ``` Query a specific role: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__ROLE__/AWSTokenRole" ``` Response ```json { "_id": "AWSTokenRole", "CreatedDate": "Mon Mar 28 19:23:45 IST 2022", "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10- 17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%2C%22Condition%22%3A%7B%7D%7D%5D%7D", "__NAME__": "AWSTokenRole", "Path": "/", "RoleArn": "arn:aws:iam::470686885243:role/AWSTokenRole", "RoleName": "AWSTokenRole", "RoleId": "AROAW3FY74V54K33FGL7Z" } ``` #### Query AWS Managed Policies Query all managed policies: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__MANAGEDPOLICY__?_queryFilter=True" ``` Response ```json { "result": [ { "_id": "arn:aws:iam::aws:policy/AdministratorAccess", ... }, { "_id": "arn:aws:iam::aws:policy/PowerUserAccess", ... }, { "_id": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", ... }, ... ], ... } ``` Query a specific managed policy using ARN as the ID: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__MANAGEDPOLICY__/arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess" ``` Response ```json { "_id": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", "UpdateDate": "...", "PolicyArn": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", "AttachmentCount": "5", "CreatedDate": "...", "PermissionsBoundaryUsageCount": "0", "__NAME__": "AmazonEC2ReadOnlyAccess", "PolicyName": "AmazonEC2ReadOnlyAccess", "IsAttachable": "true", "Path": "/", "DefaultVersionId": "v15", "PolicyId": "ANPACKCEVSQ6C2EXAMPLE" } ``` #### Query AWS Inline Policies Query all inline policies: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__INLINEPOLICY__?_queryFilter=True" ``` Response ```json { "result": [ { "_id": "Demo_Inline", "Username": "Enduser", "PolicyDocument": "%7B%20%09%22Version%22%3A%20%222012-10-17%22%2C%20%09%22Statement%22%3A%20%5B%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%5B%20%09%09%09%09%22iam%3AGenerateCredentialReport%22%2C%20%09%09%09%09%22iam%3AGetAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetailsWithEntities%22%2C%20%09%09%09%09%22iam%3AListServerCertificates%22%2C%20%09%09%09%09%22iam%3ASetSTSRegionalEndpointStatus%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetails%22%2C%20%09%09%09%09%22iam%3AListVirtualMFADevices%22%2C%20%09%09%09%09%22iam%3AGetOrganizationsAccessReport%22%2C%20%09%09%09%09%22iam%3ASetSecurityTokenServicePreferences%22%2C%20%09%09%09%09%22iam%3AUpdateAccountName%22%2C%20%09%09%09%09%22iam%3ASimulateCustomPolicy%22%2C%20%09%09%09%09%22iam%3AGetAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ACreateAccountAlias%22%2C%20%09%09%09%09%22iam%3AUpdateAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetAccountAuthorizationDetails%22%2C%20%09%09%09%09%22iam%3ADeleteCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ADeleteAccountAlias%22%2C%20%09%09%09%09%22iam%3AGetCredentialReport%22%2C%20%09%09%09%09%22iam%3AListPolicies%22%2C%20%09%09%09%09%22iam%3ADeleteAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListSAMLProviders%22%2C%20%09%09%09%09%22iam%3AListCloudFrontPublicKeys%22%2C%20%09%09%09%09%22iam%3AListRoles%22%2C%20%09%09%09%09%22iam%3AListInstanceProfiles%22%2C%20%09%09%09%09%22iam%3AUploadCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetContextKeysForCustomPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListOpenIDConnectProviders%22%2C%20%09%09%09%09%22iam%3AGetAccountName%22%2C%20%09%09%09%09%22iam%3AListAccountAliases%22%2C%20%09%09%09%09%22iam%3AListUsers%22%2C%20%09%09%09%09%22iam%3AListGroups%22%2C%20%09%09%09%09%22iam%3AListSTSRegionalEndpointsStatus%22%2C%20%09%09%09%09%22iam%3AGetAccountSummary%22%20%09%09%09%5D%2C%20%09%09%09%22Resource%22%3A%20%22%2A%22%20%09%09%7D%2C%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor1%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%20%09%09%09%22Resource%22%3A%20%5B%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Auser%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aaccess-report%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aoidc-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Apolicy%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Amfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Ainstance-profile%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asms-mfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Agroup%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asaml-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Arole%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aserver-certificate%2F%2A%22%20%09%09%09%5D%20%09%09%7D%20%09%5D%20%7D", "PolicyName": "Demo_Inline", "__NAME__": "Demo_Inline" }, { "_id": "inline_example", "Username": "Enduser", "PolicyDocument": "%7B%0A%09%22Version%22%3A%20%222012-10-17%22%2C%0A%09%22Statement%22%3A%20%5B%0A%09%09%7B%0A%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%0A%09%09%09%22Effect%22%3A%20%22Allow%22%2C%0A%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%0A%09%09%09%22Resource%22%3A%20%22%2A%22%0A%09%09%7D%0A%09%5D%0A%7D", "PolicyName": "inline_example", "__NAME__": "inline_example" }, { "_id": "Test_Inline_Policy", "Username": "Enduser", "PolicyDocument": "%7B%0A%09%22Version%22%3A%20%222012-10-17%22%2C%0A%09%22Statement%22%3A%20%5B%0A%09%09%7B%0A%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%0A%09%09%09%22Effect%22%3A%20%22Allow%22%2C%0A%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%0A%09%09%09%22Resource%22%3A%20%22%2A%22%0A%09%09%7D%0A%09%5D%0A%7D", "PolicyName": "Test_Inline_Policy", "__NAME__": "Test_Inline_Policy" } ], ... } ``` Query a specific inline policy: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__INLINEPOLICY__/Demo_Inline" ``` Response ```json { "_id": "Demo_Inline", "Username": "Enduser", "PolicyDocument": "%7B%20%09%22Version%22%3A%20%222012-10-17%22%2C%20%09%22Statement%22%3A%20%5B%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%5B%20%09%09%09%09%22iam%3AGenerateCredentialReport%22%2C%20%09%09%09%09%22iam%3AGetAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetailsWithEntities%22%2C%20%09%09%09%09%22iam%3AListServerCertificates%22%2C%20%09%09%09%09%22iam%3ASetSTSRegionalEndpointStatus%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetails%22%2C%20%09%09%09%09%22iam%3AListVirtualMFADevices%22%2C%20%09%09%09%09%22iam%3AGetOrganizationsAccessReport%22%2C%20%09%09%09%09%22iam%3ASetSecurityTokenServicePreferences%22%2C%20%09%09%09%09%22iam%3AUpdateAccountName%22%2C%20%09%09%09%09%22iam%3ASimulateCustomPolicy%22%2C%20%09%09%09%09%22iam%3AGetAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ACreateAccountAlias%22%2C%20%09%09%09%09%22iam%3AUpdateAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetAccountAuthorizationDetails%22%2C%20%09%09%09%09%22iam%3ADeleteCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ADeleteAccountAlias%22%2C%20%09%09%09%09%22iam%3AGetCredentialReport%22%2C%20%09%09%09%09%22iam%3AListPolicies%22%2C%20%09%09%09%09%22iam%3ADeleteAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListSAMLProviders%22%2C%20%09%09%09%09%22iam%3AListCloudFrontPublicKeys%22%2C%20%09%09%09%09%22iam%3AListRoles%22%2C%20%09%09%09%09%22iam%3AListInstanceProfiles%22%2C%20%09%09%09%09%22iam%3AUploadCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetContextKeysForCustomPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListOpenIDConnectProviders%22%2C%20%09%09%09%09%22iam%3AGetAccountName%22%2C%20%09%09%09%09%22iam%3AListAccountAliases%22%2C%20%09%09%09%09%22iam%3AListUsers%22%2C%20%09%09%09%09%22iam%3AListGroups%22%2C%20%09%09%09%09%22iam%3AListSTSRegionalEndpointsStatus%22%2C%20%09%09%09%09%22iam%3AGetAccountSummary%22%20%09%09%09%5D%2C%20%09%09%09%22Resource%22%3A%20%22%2A%22%20%09%09%7D%2C%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor1%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%20%09%09%09%22Resource%22%3A%20%5B%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Auser%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aaccess-report%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aoidc-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Apolicy%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Amfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Ainstance-profile%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asms-mfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Agroup%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asaml-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Arole%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aserver-certificate%2F%2A%22%20%09%09%09%5D%20%09%09%7D%20%09%5D%20%7D", "PolicyName": "Demo_Inline", "__NAME__": "Demo_Inline" } ``` #### Query AWS Service Control Policies (SCPs) Query all SCPs: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__SERVICECONTROLPOLICY__?_queryFilter=True" ``` Response ```json { "result": [ { "_id": "p-FullAWSAccess", "PolicyName": "FullAWSAccess", "__NAME__": "FullAWSAccess", "Id": "p-FullAWSAccess", "PolicySummary": [ { "Type": "SERVICE_CONTROL_POLICY", "Description": "", "Arn": "arn:aws:organizations::470686885243:policy/o-r7bvsqr1wd/service_control_policy/p-pcmxrekp", "AwsManaged": "false" } ] }, { "_id": "p-pcmxrekp", "PolicyName": "Sandbox SCP", "__NAME__": "Sandbox SCP", "Id": "p-pcmxrekp", "PolicySummary": [ { "Type": "SERVICE_CONTROL_POLICY", "Description": "", "Arn": "arn:aws:organizations::470686885243:policy/o-r7bvsqr1wd/service_control_policy/p-pcmxrekp", "AwsManaged": "false" } ] } ], ... } ``` Query a specific SCP: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__SERVICECONTROLPOLICY__/p-DenyHighRiskActions" ``` Response ```json { "_id": "p-pcmxrekp", "PolicyName": "Sandbox SCP", "__NAME__": "Sandbox SCP", "Id": "p-pcmxrekp", "PolicySummary": [ { "Type": "SERVICE_CONTROL_POLICY", "Description": "", "Arn": "arn:aws:organizations::470686885243:policy/o-r7bvsqr1wd/service_control_policy/p-pcmxrekp", "AwsManaged": "false" } ] } ``` #### Query AWS organizational units Query all organizational units: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__ORGUNIT__?_queryFilter=True" ``` Response ```json { "result": [ { "_id": "ou-2g8u-y0g6eo9k", "__NAME__": "ORGTEST", "ParentId": "ou-2g8u-y0g6eo9k" }, { "_id": "ou-2g8u-jvpza68y", "OrganizationalUnits": [ { "Arn": "arn:aws:organizations::470686885243:ou/o-r7bvsqr1wd/ou-2g8u-kgsw9s1e", "Name": "1-Sandboxchild" } ], "__NAME__": "Sandbox", "ParentId": "ou-2g8u-jvpza68y" }, { "_id": "ou-2g8u-mfus8u4b", "__NAME__": "Tempexample", "ParentId": "ou-2g8u-mfus8u4b" }, { "_id": "ou-2g8u-b3z1vwel", "__NAME__": "TestOrganization", "ParentId": "ou-2g8u-b3z1vwel" } ], ... } ``` Query a specific organizational unit: Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --request GET \ "http://localhost:8080/openidm/system/aws/__ORGUNIT__/ou-2g8u-jvpza68y" ``` Response ```json { "_id": "ou-2g8u-jvpza68y", "OrganizationalUnits": [ { "Arn": "arn:aws:organizations::470686885243:ou/o-r7bvsqr1wd/ou-2g8u-kgsw9s1e", "Name": "1-Sandboxchild" } ], "__NAME__": "Sandbox", "ParentId": "ou-2g8u-jvpza68y" } ``` ## OpenICF Interfaces Implemented by the AWS Connector The AWS Connector implements the following OpenICF interfaces. For additional details, see [ICF interfaces](interfaces.html): * Create Creates an object and its `uid`. * Delete Deletes an object, referenced by its `uid`. * Schema Describes the object types, operations, and options that the connector supports. * Script on Connector Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics: * The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access. * The script has access to a `connector` variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. * The script has access to any script arguments passed in by the application. * Search Searches the target resource for all objects that match the specified object class and filter. * Test Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid. This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out). You can invoke the test operation before a connector configuration has been validated. * Update Updates (modifies or replaces) objects on a target resource. []() ## AWS Connector Configuration The AWS Connector has the following configurable properties: ### Basic Configuration Properties | Property | Type | Default | Encrypted(1) | Required(2) | | -------------------------------------------------------------- | --------------- | ------- | ------------------------ | ------------------------- | | `accessKeyId` | `String` | `null` | | [icon: check, set=fas]Yes | | Provides the Access Key ID to access the AWS IAM Service API. | | | | | | `secretKey` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: check, set=fas]Yes | | Provides the Secret Key ID to access the AWS IAM Service API. | | | | | | `roleArn` | `String` | `null` | | [icon: check, set=fas]Yes | | Provides the Amazon Resource Name specifying the Role. | | | | | | `region` | `String` | `null` | | [icon: times, set=fas]No | | Provides the Regions. | | | | | | `pageSize` | `int` | `100` | | [icon: times, set=fas]No | | Provides the Page Size. | | | | | | `credentialsExpiration` | `int` | `3600` | | [icon: times, set=fas]No | | Provides the temporary credentials expiration time in seconds. | | | | | | `parentId` | `String` | `null` | | [icon: times, set=fas]No | | Provides the Parent ID to access the Organization Service. | | | | | | `userName` | `String` | `null` | | [icon: times, set=fas]No | | Provides the UserName to access the Inline policy of a User. | | | | | | `proxyHost` | `String` | `null` | | [icon: times, set=fas]No | | Provides the ProxyHost. | | | | | | `proxyPort` | `Integer` | `null` | | [icon: times, set=fas]No | | Provides the ProxyPort. | | | | | | `proxyUsername` | `String` | `null` | | [icon: times, set=fas]No | | Provides the Proxy Username. | | | | | | `proxyPassword` | `GuardedString` | `null` | | [icon: times, set=fas]No | | Provides the Proxy Password. | | | | | | `connectionTimeout` | `Integer` | `10000` | | [icon: times, set=fas]No | | Provides the Maximum Connection Timeout in milliseconds. | | | | | | `maxConnections` | `Integer` | `10` | | [icon: times, set=fas]No | | Provides the number of Maximum Connections. | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations.