automate AWS role assignment Skip to main content
https://support.okta.com/help/answers?id=9062a000000qudtqak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Nicole DotyNicole Doty 

automate AWS role assignment

We'd like to automate the groups to role assigments in AWS.  As the user creates the role in AWS and the corresponding group in Okta (we leverage the API), we'd like to have Okta automate the matching of the group to the role, perhaps through the API?  Anyone successfully done this? 
Vlad IvascuVlad Ivascu (Okta, Inc.)
Hello Nicole, 

Could you please expand on this as I am uncertain to the exact ask here. Are you asking if it's possible to automatically assign a group to a specific role in AWS or assign a specific group to a AWS role in Okta using API calls? 

Thank You,

Vlad Ivascu
Technical Support Engineer
Okta Global Customer Care
Nicole DotyNicole Doty
The business ask is to automate the assignment of groups to new roles.  Ex:
1.role AWS_READ created by AWS admin on the AWS portal. 
2. AWS_READ group created and populated via API in Okta
3. <NEED> automate the assignment of the group to the newly created role.  
Nicole DotyNicole Doty
followup, any idea if this is possible at this time?
Vlad IvascuVlad Ivascu (Okta, Inc.)
Once the group is created via API, you could use another API call to assign the newly created group to the AWS application and include the role you want to assign in the body. While it is not automatic, this would be way to do it through API's. 
Let me know if this helps. 

Example:

User-added image
Thank You,

Vlad Ivascu
Technical Support Engineer
Okta Global Customer Care
Edward HollidayEdward Holliday (Okta, Inc.)
Instead of using the API could you not also consider that the Okta OIN integration with AWS has a built in API (we call this the 'Provisioning' tab or a Provisioning capable app) in Okta. When you enable this you can assign different groups in Okta (this might be AD groups) to the 'user assignments' tab of the AWS PON application as an Okta Administrator.

If you then look at this after you've enabled and setup the 'Provisioning' tab properly with the API key supplied from your AWS tenant, then simply by associating 'AWS roles' to an Okta group you can fulfill the folowing requirement:
<NEED> automate the assignment of the newly created AWS role to an Okta assigned group or AD group

AWS role assignments

Please see the AWS Integration guide for more detail. Note there will be a newly expanded Integration guide coming soon as well.
https://support.okta.com/help/Documentation/Knowledge_Article/Amazon-Web-Services-and-Okta-Integration-Guide
 
Leigh HartLeigh Hart
Hi Nicole,

What you are looking for is (roughly) as follows - you will need to know the App ID of your active Amazon Web Services App (you can get this by calling 
{{url}}/api/v1/apps?q=amazon_aws

Make sure only one result comes back, or that yours is the active one returned.  Save the ID for later use.

Then, each time you want to assign a group to a role:

1. Get the group ID from OKTA API:
 
GET {{url}}/api/v1/groups?q={{groupName}}

Save the returned ID from the JSON body.

2. Assign the AWS role to the group:
 
PUT {{url}}/api/v1/apps/{{appId}}/groups/{{groupId}}

with a JSON body:
 
{
	"profile": {
        "samlRoles": [
            "[aws-account-number-or-alias] -- role-name"
        ]
    }
}

 
Leigh HartLeigh Hart
Note if you are granting multiple roles to a group, you'll need to add them all in the JSON body each time, it replaces the samlRoles, rather than adding/removing them.  You can get a list of existing roles with a GET on the same URL first if you are using OKTA as your authorative data source (probably not a good idea) :-)