aws console Okta Integration with multiple account Skip to main content
https://support.okta.com/help/answers?id=9060z00000078ibqai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Leon JiangLeon Jiang 

aws console Okta Integration with multiple account

when I tried to follow the instruction to establish AWS console Okta integration in multiple accounts scenarios. https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service#B-step4
I followed the steps and successfully get the master account work. However, I ran into following issue on cross account role assuming. The API key user in the master account can assume the role manual from the console but it gave following error message when I configure the Okta api integration. I tried multiple accounts and api users and got the same error.

Verification failed: Failed to validate Admin credentials: Failure for account xxxxxxxxxx : Not authorized to perform sts:AssumeRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxx
 
Mircea BaciuMircea Baciu (Vendor Management)
Hi Leon, my name is Mircea.
The reason for why you receive that error message is because the admin that you are using does not have the permission to make those changes. So you need to verify exactly the limits of the admin attributes or try with another one.
                                         Thank you,
                
Leon JiangLeon Jiang
Hi Mircea, [image: Screen Shot 2018-06-26 at 5.15.30 PM.png] You mean the user (admin) doesn't have the permission (assume roles) within the master account? I tried two different users, one with explicitly defined policy with permission to assume roles and the other full admin to everything, also I tried both user from the console to switch user directly and both were successful (means to me the accounts have the permission to assume roles). However, both accounts ran into such error message when access in Okta UI as shown bleow [image: Screen Shot 2018-06-26 at 5.15.30 PM.png]
Rashmi BilgundiRashmi Bilgundi
Hi Leon,

We had the same issue. Turns out we selected the incorrect value from the dropdown for "​AWS Environment". We were connecting to GovCloud and "AWS Regular" was selected. It started working when we changed it to "AWS GovCloud"

AWS Environment (Required for SAML SSO): AWS GovCloud