AWS
The AWS connector is based on the REST connector. See the REST section for the full description of tabs, fields, and configuration options. The integration with AWS allows reading and onboarding both the identity and access management data from AWS into Omada Identity, enabling the management of the user access in AWS directly from Omada Identity.
Apart from the creation of objects and access provisioning, AWS connectivity also supports the generation of initial passwords for user accounts, sending notification emails on account creation, and the self-service password reset functionality.
In Omada Identity, a single account object represents two separate AWS IAM entities: an AWS User (the user account defined by a path and a name) and a Login Profile (the access data, which consists of the password at the minimum). When an AWS user account is being removed, the Login Profile is removed first as a custom action, and a task mapping is used to point to the removal of the AWS User.
Supported objects and operations
Only full import is available, AWS does not support delta import.
| Resource | Possible operations |
|---|---|
| Users | Create, update, delete |
| Login profiles | Create, delete (provisioned as part of the user) |
| Groups for users | Create and delete assignments |
| Attached policies | Create and delete assignments |
Minimum required permissions
You need an AWS account and an Administrator IAM User and Group. Create such a user and set up the relevant security credentials directly in the AWS Management Console. See the Create an administrative user section in the AWS documentation. The Administrator IAM User needs to have access to the following API methods:
- ListPolicies
- UpdateLoginProfile
- GetPolicy
- UpdateUser
- AttachUserPolicy
- DeleteUser
- CreateUser
- GetGroup
- CreateLoginProfile
- RemoveUserFromGroup
- AddUserToGroup
- ListUsers
- ListGroups
- GetAccountAuthorizationDetails
- DetachUserPolicy
- DeleteLoginProfile
Implementation notes
You cannot delete users who still have policies (resources in AWS) assigned. Before removing the AWS account resource assignment in Omada Identity, for example, make sure that all the other AWS resource assignments for the given Identity are revoked.
Prerequisites
None.