<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jdiSABOkta Classic EngineAdministrationAnswered2024-04-30T09:18:25.000Z2017-08-31T18:28:20.000Z2017-09-20T20:46:53.000Z

  • vlad.ivascu1.4627695469476538E12 (Okta, Inc.)

    Hello Nicole, 

     

    Could you please expand on this as I am uncertain to the exact ask here. Are you asking if it's possible to automatically assign a group to a specific role in AWS or assign a specific group to a AWS role in Okta using API calls? 

     

    Thank You,

     

    Vlad Ivascu

    Technical Support Engineer

    Okta Global Customer Care
    Expand Post

  • j5v7c (j5v7c)

    The business ask is to automate the assignment of groups to new roles.  Ex:

    1.role AWS_READ created by AWS admin on the AWS portal. 

    2. AWS_READ group created and populated via API in Okta

    3. <NEED> automate the assignment of the group to the newly created role.

  • j5v7c (j5v7c)

    followup, any idea if this is possible at this time?

  • vlad.ivascu1.4627695469476538E12 (Okta, Inc.)

    Once the group is created via API, you could use another API call to assign the newly created group to the AWS application and include the role you want to assign in the body. While it is not automatic, this would be way to do it through API's. 

    Let me know if this helps. 

     

    Example:

     

    0EM2A000000DrHl

    Thank You,

     

    Vlad Ivascu

    Technical Support Engineer

    Okta Global Customer Care
    Expand Post

  • edward.holliday1.413788283869593E12 (Okta, Inc.)

    Instead of using the API could you not also consider that the Okta OIN integration with AWS has a built in API (we call this the 'Provisioning' tab or a Provisioning capable app) in Okta. When you enable this you can assign different groups in Okta (this might be AD groups) to the 'user assignments' tab of the AWS PON application as an Okta Administrator.

     

    If you then look at this after you've enabled and setup the 'Provisioning' tab properly with the API key supplied from your AWS tenant, then simply by associating 'AWS roles' to an Okta group you can fulfill the folowing requirement:

    <NEED> automate the assignment of the newly created AWS role to an Okta assigned group or AD group

     

    0EM2A000000Dsb0

     

    Please see the AWS Integration guide for more detail. Note there will be a newly expanded Integration guide coming soon as well.

    https://support.okta.com/help/Documentation/Knowledge_Article/Amazon-Web-Services-and-Okta-Integration-Guide

    Expand Post

  • mlmk2 (mlmk2)

    Hi Nicole,

     

    What you are looking for is (roughly) as follows - you will need to know the App ID of your active Amazon Web Services App (you can get this by calling  
    1.  {{url}}/api/v1/apps?q=amazon_aws
     

    Make sure only one result comes back, or that yours is the active one returned.  Save the ID for later use.

     

    Then, each time you want to assign a group to a role:

     

    1. Get the group ID from OKTA API:

      
    1.  GET {{url}}/api/v1/groups?q={{groupName}}
     

    Save the returned ID from the JSON body.

     

    2. Assign the AWS role to the group:

      
    1.  PUT {{url}}/api/v1/apps/{{appId}}/groups/{{groupId}}
     

    with a JSON body:

      
    1.  { "profile": {  "samlRoles": [  "[aws-account-number-or-alias] -- role-name"  ]  } }
     

    Expand Post

  • mlmk2 (mlmk2)

    Note if you are granting multiple roles to a group, you'll need to add them all in the JSON body each time, it replaces the samlRoles, rather than adding/removing them.  You can get a list of existing roles with a GET on the same URL first if you are using OKTA as your authorative data source (probably not a good idea) 🙂
This question is closed.
Loading
automate AWS role assignment