Add Okta as a trusted source for AWS roles

After you configure Okta as the Amazon Web Services (AWS) account identity provider, you create or update existing IAM roles for Okta to retrieve and assign to users. Okta can only provide single sign-on (SSO) for users with roles that have been configured to grant access to the Okta SAML identity provider you configured in Configure AWS accounts and roles for SAML SSO.

Grant SSO access to an existing role

  1. On the AWS Management Console, click Roles in the left pane.
  2. Select the role that you would like to permit Okta SSO access to.

  3. Select the Trust Relationship tab for the role, then click Edit Trust Relationship.

  4. Modify the IAM trust relationship policy to permit SSO into Okta using the SAML IDP you previously configured:

    • If the policy document is empty, you can copy and paste the provided policy and replace <COPY & PASTE SAML ARN VALUE HERE> with the Amazon Resource Name (ARN).
Copy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<COPY & PASTE SAML ARN VALUE HERE>"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
    • If you have a current trust relationship in place, then you may need to modify your existing policy document to also include Okta SSO access. At a minimum, you will need to include everything within the Statement code block.

Grant SSO access to a new role

  1. On the AWS Management Console, click Roles in the left pane.
  2. Go to Roles > Create Role.

  3. Use SAML 2.0 federation type of trusted entity.

  4. Select Okta (name of your identity provider) as the SAML provider and Allow programmatic and AWS Management Console access, then proceed to Permissions.

  5. Select your preferred policy to be assigned to the role you're creating.

  6. Finish Role configuration.

Next steps

Generate the AWS API access key