Organizational account integration workflow
Open both Authomize and AWS
- Log into Authomize and AWS in separate windows.
Preparing the AWS Integration in Authomize
- Go to Settings > Data Sources.
- If AWS appears under Recommended Apps, click it. Otherwise, Click Add New App.
- Select AWS.
Note: AWS IAM Identity Center (old AWS SSO) will be installed alongside AWS when the IncludeAWSIdentityCenter parameter is set in AWS.
- When the Integrate AWS dialog appears, click .
If you do not have CloudFormation and Role creation privileges, send the link (along with a request to create an Authomize-Trust-Role) to your AWS admin.
Creating an Authomize StackSet on AWS
If you are already logged into AWS, the CloudFormation>Stacks>Create stack dialog will open in AWS after clicking on its link ().
The Template URL is entered automatically by Authomize. You will need this URL later:
In the search field, on the menu bar, enter CloudFormation. Click CloudFormation then go to StackSets
Follow the steps below to create an Authomize-Integration stackset on AWS:
Fill in the fields as follows:
Step 1 Choose a Template
Select either Service-managed permissions or Self-service permissions.
Prerequisite – Prepare template
Select either Template is ready or Use a sample template.
Select Amazon S3 URL.
In the Amazon S3 URL field, enter the following URL:
Click and go to the Specify StackSet details section.
Step 2 Specify StackSet details
Enter a StackSet name [such as Authomize-integration].
Enter a description of your choosing.
Enter the ExternalID from Authomize’s Integrate AWS page
Enter true in the IncludeAWSIdentityCenter field if your organization uses AWS Identity Center
Click to go to the Configure StackSet options section.
Step 3 Configure StackSet options
Skip step 3 for now.
Click to go to the Set Deployment Options section.
Step 4 Set Deployment options
Add stacks to stack set
Select either Deploy new stacks or Import stacks to stack set.
Select either Deploy to organization or Deploy to organization units (OUs).
If you picked OUs set the OU ID.
Skip these options.
Specify one region in your organization (to install the stack).
Note: Do not install Authomize CloudFormation on Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Europe (Milan), Middle East (UAE), or Midde East (Bahrain).
Enter a number of concurrent accounts and failure tolerance.
Select parallel Region Concurrency for faster processing.
Click to go to the Review section.
Check the entries on the Review page to see if everything is correct.
Check the I acknowledge that AWS CloudFormation might create IAM resources with custom names.
Click to create a StackSet.
Go to CloudFormation>StackSets options
Check if the Authomize-integration StackSet status is active (was created successfully).
Complete the Integration
In the Integrate AWS dialog:
4. Skip this step.
5. Insert comma delimited Account Numbers (copied from Authomize-Integration StackSet) in the
Account Number field.
Insert the Management Account number only if you want to integrate the AWS Identity Center.
- the role is installed on the management account
- the role includes AWS Identity Center permission.
If you insert a Management Account, that account number must be included
(in comma delimited format) in the Account Number field.
If you leave the Regions field empty, all regions (in your organization) will be included.
If you specify one or more regions, data will be fetched only from those regions.
Skip the Assumed Role.
6. Enter an Integration name.
7. Enter Owner’s email.
If all goes well, you will see this:
Notice that AWS and AWS SSO were added to your Connected Apps.
AWS IAM Identity Center
The AWS IAM Identity Center (previously known as AWS SSO) is an authentication solution that allows users to log in to multiple applications and websites with one-time user authentication.
- It is integrated with Authomize alongside AWS , when IncludeAWSIdentityCenter is set to true in the Specify StackSets Details page. It is only relevant if your organization uses IAM Identity Center (AWS SSO)
- If installed on an individual account, only mark as true in the management account.
- When checking this option Authomize requests two extra permissions: