|
| 1 | +--- |
| 2 | +title: AWS IAM Identity Center (Preview) |
| 3 | +description: How to set up and use Teleport AWS IAM Identity Center integration |
| 4 | +--- |
| 5 | + |
| 6 | +Teleport's integration with [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) |
| 7 | +allows you to organize and manage your users' short- and long-term access to AWS |
| 8 | +accounts and their permissions. |
| 9 | + |
| 10 | +With the Identity Center integration you can grant or revoke persistent access |
| 11 | +to AWS accounts and resources using Teleport Access Lists, or use Teleport |
| 12 | +Access Requests for scenarios requiring temporary elevated AWS privileges. |
| 13 | + |
| 14 | +## How it works |
| 15 | + |
| 16 | +Identity Center integration builds on top of Teleport's [role-based access controls](../../access-controls/guides/guides.mdx), |
| 17 | +[just-in-time Access Requests](../../access-controls/access-requests/access-requests.mdx) |
| 18 | +and [Access Lists](../../access-controls/access-lists/access-lists.mdx). |
| 19 | + |
| 20 | +When enabled, Teleport takes ownership over Identity Center users, groups, and |
| 21 | +permission set assignments: |
| 22 | + |
| 23 | +- All Identity Center groups, along with their members and account/permission |
| 24 | + assignments, are imported into Teleport as Access Lists. |
| 25 | +- Identity Center account/permission assignments are expressed as Teleport role |
| 26 | + policies. |
| 27 | +- Changes made to Teleport users or Access Lists with Identity Center assigned |
| 28 | + permissions are reflected in the Identity Center. |
| 29 | + |
| 30 | +<Admonition type="warning"> |
| 31 | +Note that Identity Center integration requires using Teleport as an external |
| 32 | +identity source. |
| 33 | + |
| 34 | +As such, we recommend ensuring that all Identity Center users have access to |
| 35 | +your Teleport cluster before turning the integration on to avoid access |
| 36 | +interruption. If your Identity Center already uses external identity source, |
| 37 | +you can configure corresponding [SSO connector](../../access-controls/sso/sso.mdx) |
| 38 | +in Teleport or, if you're using Okta, turn on |
| 39 | +[Okta integration](../../../enroll-resources/application-access/okta/hosted-guide.mdx). |
| 40 | +</Admonition> |
| 41 | + |
| 42 | +For managing long-term access, Teleport cluster administrators can designate |
| 43 | +Identity Center-synced Access Lists owners who will be responsible for adding |
| 44 | +or removing users and performing periodic access reviews. Users added to or |
| 45 | +removed from such Access Lists will be added to or removed from corresponding |
| 46 | +Identity Center groups. |
| 47 | + |
| 48 | +For short-term access, users can go through Teleport's standard Access Request |
| 49 | +flow in which case Teleport will assign requested privileges to a particular |
| 50 | +user and automatically unassign once the Access Request expires. |
| 51 | + |
| 52 | +<Admonition type="note"> |
| 53 | +The preview release of Teleport's Identity Center integration in Teleport 17.0 |
| 54 | +supports role Access Requests only. |
| 55 | + |
| 56 | +Resource Access Requests (ability to request access to a particular permission |
| 57 | +set in a particular account or a particular resource) will be added in follow |
| 58 | +up releases. |
| 59 | +</Admonition> |
| 60 | + |
| 61 | +## Prerequisites |
| 62 | + |
| 63 | +- Teleport cluster version 17.0 or higher. |
| 64 | +- Administrative access to AWS IAM Identity Center. |
| 65 | + |
| 66 | +## Step 1/6. Configure AWS integration |
| 67 | + |
| 68 | +Teleport provides a guided web UI based configuration flow for the Identity |
| 69 | +Center integration. To get started, navigate to the "Add new integration" page |
| 70 | +in your Teleport cluster control panel and select "AWS Identity Center". |
| 71 | + |
| 72 | + |
| 73 | + |
| 74 | +During this step, you will set up Teleport as an OIDC identity provider for |
| 75 | +your AWS account and create an AWS role with the permissions required for the |
| 76 | +integration to function, such as fetching Identity Center accounts, users, |
| 77 | +groups, permission set assignments, and so on. |
| 78 | + |
| 79 | +<Details title="Full list of IAM permissions required by Identity Center integration"> |
| 80 | +``` |
| 81 | +organizations:ListAccounts |
| 82 | +organizations:ListAccountsForParent |
| 83 | +
|
| 84 | +identitystore:ListUsers |
| 85 | +identitystore:ListGroups |
| 86 | +identitystore:ListGroupMemberships |
| 87 | +
|
| 88 | +sso:DescribeInstance |
| 89 | +sso:DescribePermissionSet |
| 90 | +sso:ListPermissionSets |
| 91 | +sso:ListAccountAssignmentsForPrincipal |
| 92 | +sso:ListPermissionSetsProvisionedToAccount |
| 93 | +sso:CreateAccountAssignment |
| 94 | +sso:DescribeAccountAssignmentCreationStatus |
| 95 | +sso:DeleteAccountAssignment |
| 96 | +sso:DescribeAccountAssignmentDeletionStatus |
| 97 | +
|
| 98 | +iam:AttachRolePolicy |
| 99 | +iam:CreateRole |
| 100 | +iam:GetRole |
| 101 | +iam:ListAttachedRolePolicies |
| 102 | +iam:ListRolePolicies |
| 103 | +iam:GetSAMLProvider |
| 104 | +iam:ListRoles |
| 105 | +``` |
| 106 | +</Details> |
| 107 | + |
| 108 | + |
| 109 | + |
| 110 | +Enter required information such as Identity Center region, ARN and integration |
| 111 | +name, and execute the generated command in the Cloud Shell. |
| 112 | + |
| 113 | +After the script has run, fill out the ARN for the role created by the script. |
| 114 | + |
| 115 | + |
| 116 | + |
| 117 | +## Step 2/6. Preview AWS resources |
| 118 | + |
| 119 | +On the next step, you are presented with the list of AWS accounts, groups, and |
| 120 | +permission sets that Teleport was able to find in your Identity Center. |
| 121 | + |
| 122 | + |
| 123 | + |
| 124 | +Pick the default owners that should be assigned to the Access Lists in Teleport. |
| 125 | +These resources will be imported into Teleport once you click Next. |
| 126 | + |
| 127 | +## Step 3/6. Configure identity source |
| 128 | + |
| 129 | +<Admonition type="warning"> |
| 130 | +After this step, Teleport will become your Identity Center's identity provider. |
| 131 | + |
| 132 | +To avoid access interruptions, we recommend making sure that all existing |
| 133 | +Identity Center users have access to your Teleport cluster by e.g. using |
| 134 | +the same [IdP](../../access-controls/sso/sso.mdx) as your current Identity Center |
| 135 | +external identity source. |
| 136 | +</Admonition> |
| 137 | + |
| 138 | +Follow the instructions to change your Identity Center's identity source to |
| 139 | +Teleport. |
| 140 | + |
| 141 | + |
| 142 | + |
| 143 | +## Step 4/6. Enable SCIM |
| 144 | + |
| 145 | +The final step is to enable the SCIM endpoint in your Identity Center to |
| 146 | +allow Teleport to push user and group changes. |
| 147 | + |
| 148 | + |
| 149 | + |
| 150 | +Make sure to test SCIM connection after enabling it. |
| 151 | + |
| 152 | +## Step 5/6. Verify the integration |
| 153 | + |
| 154 | +Navigate to the Access Lists view page in your cluster and make sure that all |
| 155 | +your Identity Center groups have been imported: |
| 156 | + |
| 157 | + |
| 158 | + |
| 159 | +<Admonition type="note"> |
| 160 | +It may take a few minutes for the initial sync to complete. |
| 161 | +</Admonition> |
| 162 | + |
| 163 | +Imported Access Lists should show the same members as their corresponding |
| 164 | +Identity Center groups. |
| 165 | + |
| 166 | +## Step 6/6. Connect to AWS |
| 167 | + |
| 168 | +Once the integration is up and running, you will see an application named |
| 169 | +`aws-identity-center` among your resources: |
| 170 | + |
| 171 | + |
| 172 | + |
| 173 | +Clicking the "Log In" button for this app takes you to your Identity Center |
| 174 | +SSO start page which you can use to pick a role and connect to your AWS account |
| 175 | +as usual. |
| 176 | + |
| 177 | +## Usage scenarios |
| 178 | + |
| 179 | +### Managing access with Access Lists |
| 180 | + |
| 181 | +Teleport creates an Access List for each group found in the Identity Center, |
| 182 | +with group members becoming Access List members. Default Access List owners are |
| 183 | +configured during the initial integration enrollment flow and can be adjusted |
| 184 | +as necessary after the initial sync completes. |
| 185 | + |
| 186 | +Each imported Access List is automatically assigned a role (or a set of roles) |
| 187 | +that grant all members of that list access to a particular permission set on a |
| 188 | +particular AWS account based on the permissions the corresponding Identity Center |
| 189 | +group was assigned during the integration setup. Those roles are considered |
| 190 | +system roles generated by Teleport and are named using `<permission-set-name>-on-<account-name>` |
| 191 | +convention (e.g. `AdministratorAccess-on-my-account`). |
| 192 | + |
| 193 | +To give a user permission granted by an already-existing Identity Center synced |
| 194 | +Access List, an owner can add that user as a member which makes Teleport to add |
| 195 | +the user to its corresponding Identity Center group. |
| 196 | + |
| 197 | +<Admonition type="note"> |
| 198 | +While the integration is running, all existing Teleport users are synced to |
| 199 | +Identity Center. |
| 200 | +</Admonition> |
| 201 | + |
| 202 | +Removing a member from an Identity Center synced Access List removes them |
| 203 | +from the corresponding Identity Center group effectively revoking privileges. |
| 204 | + |
| 205 | +In addition to membership changes, Teleport propagates changes in Access List |
| 206 | +grants to Identity Center as well. In a scenario where, say, for an Access List |
| 207 | +with roles `AdministratorAccess-on-my-account` and `ReadOnlyAccess-on-my-account` |
| 208 | +one of the granted roles were to be removed, the corresponding Identity Center |
| 209 | +group would see its assignments updated accordingly. |
| 210 | + |
| 211 | +### Using role Access Requests |
| 212 | + |
| 213 | +For short-term privilege elevation, Identity Center integration works with |
| 214 | +Teleport Access Requests. |
| 215 | + |
| 216 | +When an Access Request for a role granting Identity Center privileges is |
| 217 | +approved, Teleport creates an individual assignment for that user in the |
| 218 | +Identity Center. The assignment is deleted when the Access Request expires. |
| 219 | + |
| 220 | +<Admonition type="note"> |
| 221 | +In a future version, Teleport will support requesting access to individual |
| 222 | +permission sets using resource-based Access Request flow similar to other |
| 223 | +Teleport resources. |
| 224 | +</Admonition> |
| 225 | + |
| 226 | +### Creating custom Identity Center roles |
| 227 | + |
| 228 | +You can craft your own roles that bind Identity Center accounts to permission |
| 229 | +sets, for example: |
| 230 | + |
| 231 | +```yaml |
| 232 | +kind: role |
| 233 | +version: v7 |
| 234 | +metadata: |
| 235 | + name: aws-dev-access |
| 236 | +spec: |
| 237 | + allow: |
| 238 | + account_assignments: |
| 239 | + - account: "<account_id>" # AWS identity center account ID |
| 240 | + name: AdministratorAccess # name of the permission set in AWS |
| 241 | + permission_set: arn:aws:sso:::permissionSet/ssoins-1234/ps-5678 # permission set ARN |
| 242 | + - account: "<account_id>" |
| 243 | + name: ReadOnlyAccess |
| 244 | + permission_set: arn:aws:sso:::permissionSet/ssoins-1234/ps-8765 |
| 245 | +``` |
| 246 | +
|
| 247 | +These roles can be assigned to users and Access Lists or requested by users |
| 248 | +using Access Requests flow described above. |
| 249 | +
|
| 250 | +## FAQ |
| 251 | +
|
| 252 | +### Which Access Lists are synced to Identity Center? |
| 253 | +
|
| 254 | +Teleport syncs all Access Lists that have AWS account and permission set rules |
| 255 | +among their role grants to Identity Center. |
| 256 | +
|
| 257 | +### How does it work with nested Access Lists? |
| 258 | +
|
| 259 | +Identity Center does not support nested groups. As such, Teleport flattens out |
| 260 | +the member list when syncing an Access List that has |
| 261 | +[nested Access Lists](../../access-controls/access-lists/nested-access-lists.mdx). |
| 262 | +
|
| 263 | +### How do I uninstall the integration? |
| 264 | +
|
| 265 | +<Admonition type="warning"> |
| 266 | +Before fully removing the integration, make sure to remember to change the |
| 267 | +identity source in your Identity Center. |
| 268 | +</Admonition> |
| 269 | +
|
| 270 | +You can remove the integration by navigating to your cluster's Integrations |
| 271 | +list and deleting both the integration named `AWS Identity Center` and the AWS |
| 272 | +OIDC integration that was created during the first enrollment step. |
| 273 | + |
| 274 | +To clean up AWS resources created for the integration, remove the Identity |
| 275 | +Provider and its role from your AWS IAM console as well. |
| 276 | + |
| 277 | +## Next steps |
| 278 | + |
| 279 | +- Take a deeper dive into fundamental Teleport concepts used in Identity Center |
| 280 | + integration such as [RBAC](../../access-controls/guides/guides.mdx), |
| 281 | + [JIT Access Requests](../../access-controls/access-requests/access-requests.mdx) |
| 282 | + and [Access Lists](../../access-controls/access-lists/access-lists.mdx). |
| 283 | +- Learn how to enable [Okta integration](../../../enroll-resources/application-access/okta/hosted-guide.mdx) |
| 284 | + to sync apps, users and groups from Okta in conjunction with Identity Center |
| 285 | + integration. |
0 commit comments