<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VeESAVOkta Classic EngineSingle Sign-OnAnswered2024-04-15T11:17:23.000Z2018-06-25T23:47:27.000Z2018-06-29T17:14:32.000Z

a10pf (a10pf) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
aws console Okta Integration with multiple account
when I tried to follow the instruction to establish AWS console Okta integration in multiple accounts scenarios. https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-Web-Service#B-step4

I followed the steps and successfully get the master account work. However, I ran into following issue on cross account role assuming. The API key user in the master account can assume the role manual from the console but it gave following error message when I configure the Okta api integration. I tried multiple accounts and api users and got the same error.

 

Verification failed: Failed to validate Admin credentials: Failure for account xxxxxxxxxx : Not authorized to perform sts:AssumeRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxx

  • 3 answers
  • 2.43K views

  • mircea.baciu1.5246129871034656E12 (Vendor Management)

    Hi Leon, my name is Mircea.

    The reason for why you receive that error message is because the admin that you are using does not have the permission to make those changes. So you need to verify exactly the limits of the admin attributes or try with another one.

                                             Thank you,

  • a10pf (a10pf)

    Hi Mircea, [image: Screen Shot 2018-06-26 at 5.15.30 PM.png] You mean the user (admin) doesn't have the permission (assume roles) within the master account? I tried two different users, one with explicitly defined policy with permission to assume roles and the other full admin to everything, also I tried both user from the console to switch user directly and both were successful (means to me the accounts have the permission to assume roles). However, both accounts ran into such error message when access in Okta UI as shown bleow [image: Screen Shot 2018-06-26 at 5.15.30 PM.png]
    Expand Post

  • RashmiB.14050 (Customer)

    Hi Leon,

     

    We had the same issue. Turns out we selected the incorrect value from the dropdown for "​AWS Environment". We were connecting to GovCloud and "AWS Regular" was selected. It started working when we changed it to "AWS GovCloud"

     

    AWS Environment (Required for SAML SSO): AWS GovCloud
    Expand Post
This question is closed.
Loading
aws console Okta Integration with multiple account