Generate the AWS API access key

In the AWS source account, you need to create an AWS user with specific permissions so Okta can dynamically fetch a list of available roles from your accounts. This makes assigning users and groups to specific AWS roles easy and secure for administrators.

  1. On the AWS Management Console, click Users > Add user.

  2. Enter a user name in the User name field. For example, OktaSSOuser.

  3. Access type: Select Programmatic access, then click Next: Permissions.

  4. Click Attach existing policies directly, then Create policy.

    The Create policy page opens in a new browser tab.

  5. Select the JSON tab.

  6. Delete the existing code under the JSON tab and replace it with the following code:

    Copy
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action": [
    "iam:ListRoles",
    "iam:ListAccountAliases"
    ],
    "Resource": "*"
    }
    ]
    }
  7. Click Review policy (refer to AWS documentation for details, if needed).

  8. Enter a name and optional description for the policy. For example, OktaSourceAccountPolicy.

  9. Click Create Policy.

    The app returns you to the first browser tab where you can continue assigning policies to your IAM user.

  10. Select the first IAM Management Console browser tab.

  11. Make sure that Attach existing policies directly is selected.

  12. Click Refresh, enter the name of the policy you created in the search field, then select the policy.

  13. Click Next: Tags.

  14. Optional. Add descriptive tags for the user and click Next: Review.

  15. Click Create user.

  16. Copy the keys in the Access key ID and Secret access key columns, then click Close. You'll need these keys to complete the configuration.

    This is the only time that you can view and copy the keys.