--- title: AWS connector description: Connectors continue to be released outside the IDM release. For the latest documentation, refer to the OpenICF documentation. component: pingidm version: 7.2 page_id: pingidm:connector-reference:aws-iam canonical_url: https://docs.pingidentity.com/pingidm/7.2/connector-reference/aws-iam.html section_ids: before_you_start: Before you start install_the_aws_connector: Install the AWS connector configure_the_aws_connector: Configure the AWS connector use_the_aws_connector: Use the AWS connector implemented-interfaces-org-forgerock-openicf-connectors-aws-AwsConnector-1.5.20.15: OpenICF Interfaces Implemented by the AWS Connector config-properties-org-forgerock-openicf-connectors-aws-AwsConnector-1.5.20.15: AWS Connector Configuration basic-group-of-connector-org-forgerock-openicf-connectors-aws-AwsConnector-1.5.20.15: Basic group of connector --- # AWS connector | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Connectors continue to be released outside the IDM release. For the latest documentation, refer to the [OpenICF documentation](https://docs.pingidentity.com/openicf/index.html). | AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. The AWS connector lets you manage and synchronize accounts between AWS and IDM managed user objects. An AWS administrator account is required for this connector to work. ## Before you start Before you configure the connector, log in to your AWS administrator account and note the following: * Access Key ID The access key ID is a globally unique IAM user identifier to access the AWS service API. * Secret Key ID The secret key is a password to access the AWS service API. * Role ARN Amazon Resource Name (ARN) for the role which has IAM Full Access permissions. * Credentials Expiration Time (in seconds) to configure the duration in which the temporary credentials would expire. Optional. * Region The region where the AWS instance is hosted. ## Install the AWS connector Download the connector .jar file from the [Backstage download site](https://backstage.forgerock.com/downloads). * If you are running the connector locally, place it in the `/path/to/openidm/connectors` directory, for example: ``` mv ~/Downloads/aws-connector-1.5.20.15.jar /path/to/openidm/connectors/ ``` * If you are using a remote connector server (RCS), place it in the `/path/to/openicf/connectors` directory on the RCS. ## Configure the AWS connector Create a connector configuration using the admin UI: 1. Select Configure > Connectors and click New Connector. 2. Enter a Connector Name. 3. Select AWS Connector - 1.5.20.15 as the Connector Type. 4. Provide the Base Connector Details. 5. Click Save. When your connector is configured correctly, the connector displays as Active in the admin UI. Alternatively, test that the configuration is correct by running the following command: ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --request POST \ "http://localhost:8080/openidm/system/aws?_action=test" { "name": "aws", "enabled": true, "config": "config/provisioner.openicf/aws", "connectorRef": { "bundleVersion": "[1.5.0.0,1.6.0.0)", "bundleName": "org.forgerock.openicf.connectors.aws-connector", "connectorName": "org.forgerock.openicf.connectors.aws.AwsConnector" }, "displayName": "AWS Connector", "objectTypes": [ "__ACCOUNT__", "__ALL__" ], "ok": true } ``` If the command returns `"ok": true`, your connector has been configured correctly, and can authenticate to the AWS system. ## Use the AWS connector The following AWS account attributes are supported by the AWS connector: | Attribute | Description | | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `__USER__` | The username of the user. Only alphanumeric characters, and `+=,.@_-` symbols are supported. Required. | | `UserId` | Auto-generated user id. | | `Path` | The path to the created user (used to define a hierarchy-based structure). Default value is `/`. | | `__PASSWORD__` | Password for the user account. | | `Arn` | Amazon Resource Name (ARN), used to uniquely identify the AWS resource. For more information on ARNs, see [Amazon Resource Names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the AWS documentation. | | `CreatedDate` | Date of profile creation, in [ISO 8601 date-time format](http://www.iso.org/iso/iso8601). | | `PasswordLastUsed` | Date the password was last used. | | `PermissionBoundary` | The ARN of the policy that is used to set the permissions boundary for the user. | | `Tags` | A list of customizable key-value pairs. For more information about tags on AWS, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the AWS documentation. For example:```json "Tags": [{ "Key": "Department", "Value": "Accounting" }] ``` | You can use the AWS connector to perform the following actions on an AWS account: > **Collapse: Create an AWS user** > > The following example creates a user with the minimum required attributes: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request POST \ > --data '{ > "__NAME__": "bjensen" > }' \ > "http://localhost:8080/openidm/system/aws/__ACCOUNT__?_action=create" > { > "_id": "bjensen", > "Path": "/", > "UserId": "AIDAW3FY74V57KNBRIDU6", > "__NAME__": "bjensen", > "Arn": "arn:aws:iam::470686885243:user/bjensen", > "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022" > } > ``` > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------ | > | | When you create a new user, you must specify *at least* `__NAME__`. See the list of available attributes for more information. | > **Collapse: Update an AWS user** > > You can modify an existing user with a PUT request, including all attributes of the account in the request. The following attributes can be modified on a user: > > * `__USER__` > > * `__PASSWORD__` > > * `Path` > > * `PermissionsBoundary` > > * `Tags` > > For example, to add a new tag to a user: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --header "If-Match:*" \ > --request PUT \ > --data '{ > "__NAME__": "bjensen", > "Tags": [{ > "Key": "Project", > "Value": "Meteor" > }] > }' \ > "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" > { > "_id": "bjensen", > "Path": "/", > "UserId": "AIDAW3FY74V57KNBRIDU6", > "__NAME__": "bjensen", > "Arn": "arn:aws:iam::470686885243:user/bjensen", > "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", > "Tags": [ > { > "Project": "Meteor" > } > ] > } > ``` > **Collapse: Query AWS users** > > The following example queries all AWS users: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/aws/__ACCOUNT__?_queryId=query-all-ids" > { > "result": [ > { > "_id": "bjensen" > }, > { > "_id": "frank@example.com" > }, > { > "_id": "testFR4User" > }, > { > "_id": "testFR5User" > }, > { > "_id": "testFR6User" > } > ], > "resultCount": 5, > "pagedResultsCookie": null, > "totalPagedResultsPolicy": "NONE", > "totalPagedResults": -1, > "remainingPagedResults": -1 > } > ``` > > The following command queries a specific user by their ID: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request GET \ > "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" > { > "_id": "bjensen", > "Path": "/", > "UserId": "AIDAW3FY74V57KNBRIDU6", > "__NAME__": "bjensen", > "Arn": "arn:aws:iam::470686885243:user/bjensen", > "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", > "Tags": [ > { > "Project": "Meteor" > } > ] > } > ``` > **Collapse: Reset an AWS user account password** > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --header "if-Match:*" \ > --request PATCH \ > --data '[{ > "operation": "add", > "field": "__PASSWORD__", > "value": "Passw0rd@123!" > }]' \ > "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" > { > "_id": "bjensen", > "Path": "/", > "UserId": "AIDAW3FY74V57KNBRIDU6", > "__NAME__": "bjensen", > "Arn": "arn:aws:iam::470686885243:user/bjensen", > "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", > "Tags": [ > { > "Project": "Meteor" > } > ] > } > ``` > > | | | > | - | ----------------------------------------------------------------------------------------------------- | > | | While the `__PASSWORD__` field is not returned as part of the response, the user object *is* updated. | > **Collapse: Delete an AWS user account** > > You can use the AWS connector to delete an account from the AWS IAM service. > > The following example deletes an AWS account: > > ``` > curl \ > --header "X-OpenIDM-Username: openidm-admin" \ > --header "X-OpenIDM-Password: openidm-admin" \ > --header "Content-Type: application/json" \ > --request DELETE \ > "http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen" > { > "_id": "bjensen", > "Path": "/", > "UserId": "AIDAW3FY74V57KNBRIDU6", > "__NAME__": "bjensen", > "Arn": "arn:aws:iam::470686885243:user/bjensen", > "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022", > "Tags": [ > { > "Project": "Meteor" > } > ] > } > ``` ## OpenICF Interfaces Implemented by the AWS Connector The AWS Connector implements the following OpenICF interfaces. For additional details, see [OpenICF interfaces](interfaces.html): * Create Creates an object and its `uid`. * Delete Deletes an object, referenced by its `uid`. * Schema Describes the object types, operations, and options that the connector supports. * Script on Connector Enables an application to run a script in the context of the connector. Any script that runs on the connector has the following characteristics: * The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access. * The script has access to a `connector` variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration. * The script has access to any script arguments passed in by the application. * Search Searches the target resource for all objects that match the specified object class and filter. * Test Tests the connector configuration. Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid. This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out). You can invoke the test operation before a connector configuration has been validated. * Update Updates (modifies or replaces) objects on a target resource. ## AWS Connector Configuration The AWS Connector has the following configurable properties: ### Basic group of connector | Property | Type | Default | Encrypted(1) | Required(2) | | ------------------------------------------------------------ | --------------- | ------- | ------------------------ | ------------------------- | | `accessKeyId` | `String` | `null` | | [icon: check, set=fas]Yes | | Provide the Access Key ID to access the AWS IAM Service API | | | | | | `secretKey` | `GuardedString` | `null` | [icon: lock, set=fas]Yes | [icon: check, set=fas]Yes | | Provide the Secret Key ID to access the AWS IAM Service API | | | | | | `roleArn` | `String` | `null` | | [icon: check, set=fas]Yes | | Provide the Amazon Resource Name specifying the Role | | | | | | `region` | `String` | `null` | | [icon: times, set=fas]No | | Provide the Regions | | | | | | `pageSize` | `int` | `100` | | [icon: times, set=fas]No | | Provide the Page Size | | | | | | `credentialsExpiration` | `int` | `3600` | | [icon: times, set=fas]No | | Provide the temporary credentials expiration time in seconds | | | | | | `proxyHost` | `String` | `null` | | [icon: times, set=fas]No | | Provide the ProxyHost | | | | | | `proxyPort` | `Integer` | `null` | | [icon: times, set=fas]No | | Provide the ProxyPort | | | | | | `proxyUsername` | `String` | `null` | | [icon: times, set=fas]No | | Provide the Proxy Username | | | | | | `proxyPassword` | `GuardedString` | `null` | | [icon: times, set=fas]No | | Provide the Proxy Password | | | | | | `connectionTimeout` | `Integer` | `10000` | | [icon: times, set=fas]No | | Provide the Maximum Connection Timeout in milliseconds | | | | | | `maxConnections` | `Integer` | `10` | | [icon: times, set=fas]No | | Provide the number of Maximum Connections | | | | | (1) Whether the property value is considered confidential, and is therefore encrypted in IDM. (2) A list of operations in this column indicates that the property is required for those operations.