ICF 1.5.20.29

Amazon Web Services (AWS) connector

Amazon Web Services (AWS) Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. The AWS connector lets you manage and synchronize accounts between AWS and IDM managed user objects. You can also search, assign, and unassign certain other objects from AWS.

To use this connector, you must have an AWS administrator account with proper access to AWS as described in the AWS documentation.

Before you start

Before you configure the connector, log in to your AWS administrator account and note the following:

Access Key ID

The access key ID is a globally unique IAM user identifier to access the AWS service API.

Secret Key ID

The secret key is a password to access the AWS service API.

Role ARN

Amazon Resource Name (ARN) for the role which has IAM Full Access permissions.

Credentials Expiration

Time (in seconds) to configure the duration in which the temporary credentials expire. Optional. Default: 3600.

Region

The region where the AWS instance is hosted.

Parent ID

The unique identifier assigned to the parent entity (like the root account) in the AWS Organization hierarchy. Required for Organizational Unit operations.

UserName

The unique name of a user. Required specifically for retrieving inline policies associated with that user.

Install the AWS connector

To check for an Advanced Identity Cloud application for this connector, refer to:

You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.

Connector included in default deployment
Connector IDM RCS

Amazon Web Services (AWS)

No

No

Download the connector .jar file from Backstage.

  • If you are running the connector locally, place it in the /path/to/openidm/connectors directory, for example:

    mv ~/Downloads/aws-connector-1.5.20.26.jar /path/to/openidm/connectors/

  • If you are using a remote connector server (RCS), place it in the /path/to/openicf/connectors directory on the RCS.

Configure the AWS connector

Create a connector configuration using the IDM admin UI:

  1. From the navigation bar, click Configure > Connectors.

  2. On the Connectors page, click New Connector.

  3. On the New Connector page, type a Connector Name.

  4. From the Connector Type drop-down list, select AWS Connector - 1.5.20.26.

  5. Complete the Base Connector Details.

    For a list of all configuration properties, refer to AWS Connector Configuration

  6. Click Save.

When your connector is configured correctly, the connector displays as Active in the admin UI.

Refer to this procedure to create a connector configuration over REST.

Test the AWS connector

Test that the configuration is correct by running the following command:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/system/aws?_action=test"
{
  "name": "aws",
  "enabled": true,
  "config": "config/provisioner.openicf/aws",
  "connectorRef": {
    "bundleVersion": "[1.5.0.0,1.6.0.0)",
    "bundleName": "org.forgerock.openicf.connectors.aws-connector",
    "connectorName": "org.forgerock.openicf.connectors.aws.AwsConnector"
  },
  "displayName": "AWS Connector",
  "objectTypes": [
    "__ACCOUNT__",
    "__GROUP__",
    "__ROLE__",
    "__MANAGEDPOLICY__",
    "__INLINEPOLICY__",
    "__SERVICECONTROLPOLICY__",
    "__ORGUNIT__"
  ],
  "ok": true
}

If the command returns "ok": true, your connector has been configured correctly and can authenticate to the AWS system.

AWS remote connector

If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the AWS connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM.

You can download the AWS connector from here.

Refer to Remote connectors for configuring the AWS remote connector.

Configure connection pooling

The AWS connector uses connector-specific pooling to manage connections. Learn more about the different pooling mechanisms in Connectors by pooling mechanism.

Supported resource types

The connector maps the following ICF native types to AWS resource types:

ICF Native Type AWS Resource Type Naming Attribute

__ACCOUNT__

User

__NAME__

__GROUP__

Group

__NAME__

__ROLE__

Role

__NAME__

__MANAGEDPOLICY__

Managed Policy

__NAME__

Maps to PolicyArn

__INLINEPOLICY__

Inline Policy

__NAME__

Maps to PolicyName

__SERVICECONTROLPOLICY__

Service Control Policy

__NAME__

Maps to PolicyId

__ORGUNIT__

Organizational Unit

__NAME__

Maps to ParentId or Organizational Unit Name/Arn depending on context

Supported search filters

The AWS connector supports search operations with the following filter operators and attributes:

Object Type Operator Attributes

__ACCOUNT__

Equals filter

Path, UserName (__NAME__)

__GROUP__

Equals filter

Path, GroupName (__NAME__)

__ROLE__

Equals filter

Path, RoleName (__NAME__)

__MANAGEDPOLICY__

Equals filter

Path, PolicyArn (__NAME__)

__INLINEPOLICY__

Equals filter

PolicyName (__NAME__)

__SERVICECONTROLPOLICY__

Equals filter

PolicyId (__NAME__)

__ORGUNIT__

Equals filter

ParentId (__NAME__)

Supported attributes

The AWS connector supports the following attributes.

AWS account (user) attributes

The AWS connector supports the following AWS account attributes:

Attribute Description

UserName

The name of the user. Required. Can contain up to 64 letters, digits, and the characters +, =, ,, ., @, _, -. Must be unique within the account.

UserId

Auto-generated unique user ID. Read-only.

Path

The path for the user. Used to create a folder-like hierarchy. Default value is /.

Password

Password for the user’s console login profile. Write-only.

Arn

Amazon Resource Names (ARNs) uniquely identify the AWS resource. Read-only.

CreatedDate

Date the user was created, in ISO 8601 date-time format. Read-only.

PasswordLastUsed

Date the user’s password was last used for login. Read-only.

PermissionBoundary

The ARN of the policy used to set the permissions boundary for the user.

Tags

A list of customizable key-value pairs attached to the user. For example:

"Tags": [{
    "Key": "Department",
    "Value": "Accounting"
}]

Learn more about Tagging AWS resources in the AWS documentation.

Group

List of group names the user belongs to.

ManagedPolicy

List of managed policy ARNs attached to the user.

InlinePolicy

List of inline policies embedded in the user. Each item contains PolicyName and PolicyDocument.

Role

List of roles assigned to the user. Each item contains RoleName and potentially PolicyArn.

AWS group attributes

Attribute Description

GroupName

Name of the group. Required.

GroupId

Auto-generated unique group ID. Read-only.

Arn

Amazon Resource Name (ARN) uniquely identifies the group resource. Read-only.

Path

The path for the group. Used to create a folder-like hierarchy. Default value is /. Read-only.

AWS role attributes

Attribute Description

RoleName

Name of the Role. Required.

RoleId

Auto-generated unique role ID. Read-only.

Path

The path for the role. Used to create a folder-like hierarchy. Default value is /. Read-only.

Arn

Amazon Resource Name (ARN) uniquely identifies the role resource. Read-only.

CreateDate

Date the role was created. Read-only.

AssumeRolePolicyDocument

The trust policy document associated with the role. Read-only.

AWS managed policy attributes

Attribute Description

PolicyArn

The Amazon Resource Name (ARN) uniquely identifies the Managed Policy. Required for identification. Read-only.

PolicyId

Auto-generated unique policy ID. Read-only.

PolicyName

Name of the policy. Read-only.

Path

The path for the policy. Used to create a folder-like hierarchy. Default value is /. Read-only.

CreateDate

Date the policy was created. Read-only.

AttachmentCount

Number of entities (users, groups, roles) attached to the policy. Read-only.

IsAttachable

Whether the policy can be attached to users, groups, or roles. Read-only.

DefaultVersionId

The identifier for the default version of the policy. Read-only.

PermissionsBoundaryUsageCount

Number of entities using this policy as a permissions boundary. Read-only.

UpdateDate

Date the policy was last updated. Read-only.

AWS inline policy attributes

Attribute Description

PolicyName

Name of the inline policy. Required.

UserName

Name of the user the inline policy is attached to. Required for identification.

PolicyDocument

The policy document.

AWS Service Control Policy (SCP) attributes

Attribute Description

Id

The unique identifier (ID) of the SCP. Required for identification. Read-only.

PolicyName

Name of the SCP. Read-only.

PolicySummary

Object containing details like Arn, Type, Description, and AwsManaged status. Read-only.

AWS Organizational Unit (OU) attributes

Attribute Description

ParentId

The unique identifier (ID) of the parent entity (root or OU). Required for identification. Read-only.

OrganizationalUnits

List of OU objects, each containing Name and Arn. Read-only.

Use the AWS connector

You can use the AWS connector to perform create, read, update, and delete (CRUD) operations on AWS IAM objects.

User account operations

Create an AWS user

The following example creates a user with the minimum required attributes:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request POST \
--data '{
  "__NAME__": "bjensen"
}' \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__?_action=create"
Response
{
  "_id": "bjensen",
  "Path": "/",
  "UserId": "AIDAW3FY74V57KNBRIDU6",
  "__NAME__": "bjensen",
  "Arn": "arn:aws:iam::470686885243:user/bjensen",
  "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022"
}

The following example creates a user with all assignable attributes:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request POST \
--data '{
  "__NAME__": "jdoe",
  "Path": "/engineering/",
  "__PASSWORD__": "P@ssw0rd123!",
  "PermissionsBoundary": "arn:aws:iam::aws:policy/PowerUserAccess",
  "Tags": [{ "Key": "Project", "Value": "Phoenix" }],
  "__GROUP__": ["developers"],
  "__MANAGEDPOLICY__": ["arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"],
  "__ROLE__": [{"RoleName": "EC2InstanceRole"}],
  "__INLINEPOLICY__": [{
    "PolicyName": "S3BucketAccess",
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Allow",
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::example_bucket"
      }]
    }
  }]
}' \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__?_action=create"

Response:

{
  "_id": "jdoe",
  "CreatedDate": "Fri May 02 13:00:00 PDT 2025",
  "Arn": "arn:aws:iam::123456789012:user/engineering/jdoe",
  "__INLINEPOLICY__": [ { "PolicyName": "S3BucketAccess" } ],
  "__NAME__": "jdoe",
  "__GROUP__": [ "developers" ],
  "Path": "/engineering/",
  "__ROLE__": [ { "RoleName": "EC2InstanceRole" } ],
  "PermissionsBoundary": "arn:aws:iam::aws:policy/PowerUserAccess",
  "__MANAGEDPOLICY__": [ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess" ],
  "Tags": [ { "Project": "Phoenix" } ],
  "UserId": "AIDACKCEVSQ6C2EXAMPLE"
}

  • You must specify at least __NAME__ when creating a user.

  • Usernames can be up to 64 characters long and include letters, digits, and + = , . @ _ -.

  • Assigning roles (__ROLE__) during user creation is informational in IAM; roles are assumed, not directly assigned like groups or policies. The connector reflects attached policies for consistency but doesn’t perform role assignment in the AWS sense.

Update an AWS user

Modify an existing user with a PUT request. Include all attributes you want the user to have; attributes not included in the PUT request might be removed or reset depending on the target system behavior (often equivalent to PATCH for specific fields like Tags, Group, Policy, Role additions/removals).

Modifiable attributes:

  • __NAME__ (Requires specifying the old ID in the URL)

  • __PASSWORD__ (Use PATCH for password changes)

  • Path

  • PermissionsBoundary

  • Tags

  • __GROUP__

  • __MANAGEDPOLICY__

  • __INLINEPOLICY__

  • __ROLE__ (Reference the note in Create an AWS user)

For example, to add a new tag to a user:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "If-Match:*" \
--request PUT \
--data '{
  "__NAME__": "bjensen",
  "Tags": [{
    "Key": "Project",
    "Value": "Meteor"
  }]
}' \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen"
{
  "_id": "bjensen",
  "Path": "/",
  "UserId": "AIDAW3FY74V57KNBRIDU6",
  "__NAME__": "bjensen",
  "Arn": "arn:aws:iam::470686885243:user/bjensen",
  "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022",
  "Tags": [
    {
      "Project": "Meteor"
    }
  ]
}

Assign other objects to a user

Use PATCH or PUT to add groups, managed policies, inline policies, or roles to a user.

Example using PATCH to add a group and a managed policy:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "If-Match:*" \
--request PATCH \
--data '[
  {"operation": "add", "field": "__GROUP__", "value": ["qa-team"]},
  {"operation": "add", "field": "__MANAGEDPOLICY__", "value": ["arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"]}
]' \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__/jdoe"

Unassign other objects from a user

Use PATCH or PUT to remove groups, managed policies, inline policies, or roles from a user.

Example using PATCH to remove a group and an inline policy:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "If-Match:*" \
--request PATCH \
--data '[
  {"operation": "remove", "field": "__GROUP__", "value": ["frontend-devs"]},
  {"operation": "remove", "field": "__INLINEPOLICY__", "value": [{"PolicyName": "S3BucketAccess"}]}
]' \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__/jdoe"

Query AWS users

The following example queries all AWS users:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request GET \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__?_queryId=query-all-ids"
{
  "result": [
    {
      "_id": "bjensen"
    },
    {
      "_id": "frank@example.com"
    },
    {
      "_id": "testFR4User"
    },
    {
      "_id": "testFR5User"
    },
    {
      "_id": "testFR6User"
    }
  ],
  …​
}

The following command queries a specific user by their ID:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request GET \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen"
{
  "_id": "bjensen",
  "Path": "/",
  "UserId": "AIDAW3FY74V57KNBRIDU6",
  "__NAME__": "bjensen",
  "Arn": "arn:aws:iam::470686885243:user/bjensen",
  "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022",
  "Tags": [
    {
      "Project": "Meteor"
    }
  ]
}

Reset an AWS user account password

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--header "if-Match:*" \
--request PATCH \
--data '[{
  "operation": "add",
  "field": "__PASSWORD__",
  "value": "Passw0rd@123!"
}]' \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen"
{
  "_id": "bjensen",
  "Path": "/",
  "UserId": "AIDAW3FY74V57KNBRIDU6",
  "__NAME__": "bjensen",
  "Arn": "arn:aws:iam::470686885243:user/bjensen",
  "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022",
  "Tags": [
    {
      "Project": "Meteor"
    }
  ]
}

While the __PASSWORD__ field is not returned in the response, the user’s password is updated.

Delete an AWS user account

Use a DELETE request to remove a user from AWS IAM.

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Content-Type: application/json" \
--request DELETE \
"http://localhost:8080/openidm/system/aws/__ACCOUNT__/bjensen"
{
  "_id": "bjensen",
  "Path": "/",
  "UserId": "AIDAW3FY74V57KNBRIDU6",
  "__NAME__": "bjensen",
  "Arn": "arn:aws:iam::470686885243:user/bjensen",
  "CreatedDate": "Thu Jun 02 16:46:39 PDT 2022",
  "Tags": [
    {
      "Project": "Meteor"
    }
  ]
}

Other object type operations

A similar query pattern applies to groups, roles, managed policies, inline policies, service control policies, and organizational units using their respective object types (GROUP, ROLE, and so on.) in the request URL. For example, _queryFilter=True to return all applicable objects, and using the specific object ID to return a particular object.

Query AWS Groups

Query all groups:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__GROUP__?_queryFilter=True"
Response
{
  "result": [
    {
      "_id": "forge",
      "Path": "/",
      "__NAME__": "forge",
      "GroupId": "AGPAW3FY74V5TAMVGJTDO",
      "GroupName": "forge",
      "Arn": "arn:aws:iam::470686885243:group/forge"
    },
    {
      "_id": "IAMAdministrator",
      "Path": "/",
      "__NAME__": "IAMAdministrator",
      "GroupId": "AGPAW3FY74V5XKCZVOQI5",
      "GroupName": "IAMAdministrator",
      "Arn": "arn:aws:iam::470686885243:group/IAMAdministrator"
    },
    {
      "_id": "SuperUser",
      "Path": "/",
      "__NAME__": "SuperUser",
      "GroupId": "AGPAW3FY74V5XANUBMNXT",
      "GroupName": "SuperUser",
      "Arn": "arn:aws:iam::470686885243:group/SuperUser"
    },
    {
      "_id": "TempGroup",
      "Path": "/",
      "__NAME__": "TempGroup",
      "GroupId": "AGPAW3FY74V5RBM7LKG5S",
      "GroupName": "TempGroup",
      "Arn": "arn:aws:iam::470686885243:group/TempGroup"
    },
    {
      "_id": "Windows_Access",
      "Path": "/",
      "__NAME__": "Windows_Access",
      "GroupId": "AGPAW3FY74V57Z7SG3GRY",
      "GroupName": "Windows_Access",
      "Arn": "arn:aws:iam::470686885243:group/Windows_Access"
    }
  ],
  ...
}

Query a specific group:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__GROUP__/developers"
Response
{
  "_id": "developers",
  "Path": "/",
  "__NAME__": "developers",
  "GroupId": "AGPACKCEVSQ6C2EXAMPLE",
  "GroupName": "developers",
  "Arn": "arn:aws:iam::123456789012:group/developers"
}

Query AWS Roles

Query all roles:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__ROLE__?_queryFilter=True"
Response
{
  "result": [
    {
      "_id": "Adminrole",
      "CreatedDate": "Fri Mar 08 13:24:10 IST 2024",
      "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%2C%22Condition%22%3A%7B%7D%7D%5D%7D",
      "__NAME__": "Adminrole",
      "Path": "/",
      "RoleArn": "arn:aws:iam::470686885243:role/Adminrole",
      "RoleName": "Adminrole",
      "RoleId": "AROAW3FY74V5XMWBZPK5U"
    },
    {
      "_id": "aws-quicksight-secretsmanager-role-v0",
      "CreatedDate": "Fri Jan 26 23:37:52 IST 2024",
      "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22quicksight.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D",
      "__NAME__": "aws-quicksight-secretsmanager-role-v0",
      "Path": "/service-role/",
      "RoleArn": "arn:aws:iam::470686885243:role/service-role/aws-quicksight-secretsmanager-role-v0",
      "RoleName": "aws-quicksight-secretsmanager-role-v0",
      "RoleId": "AROAW3FY74V54P5FRC3ZC"
    },
    ...
  ]
}

Query a specific role:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__ROLE__/AWSTokenRole"
Response
{
  "_id": "AWSTokenRole",
  "CreatedDate": "Mon Mar 28 19:23:45 IST 2022",
  "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-       17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22AWS%22%3A%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aroot%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%2C%22Condition%22%3A%7B%7D%7D%5D%7D",
  "__NAME__": "AWSTokenRole",
  "Path": "/",
  "RoleArn": "arn:aws:iam::470686885243:role/AWSTokenRole",
  "RoleName": "AWSTokenRole",
  "RoleId": "AROAW3FY74V54K33FGL7Z"
}

Query AWS Managed Policies

Query all managed policies:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__MANAGEDPOLICY__?_queryFilter=True"
Response
{
  "result": [
    { "_id": "arn:aws:iam::aws:policy/AdministratorAccess", ... },
    { "_id": "arn:aws:iam::aws:policy/PowerUserAccess", ... },
    { "_id": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", ... },
    ...
  ],
  ...
}

Query a specific managed policy using ARN as the ID:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__MANAGEDPOLICY__/arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
Response
{
  "_id": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
  "UpdateDate": "...",
  "PolicyArn": "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
  "AttachmentCount": "5",
  "CreatedDate": "...",
  "PermissionsBoundaryUsageCount": "0",
  "__NAME__": "AmazonEC2ReadOnlyAccess",
  "PolicyName": "AmazonEC2ReadOnlyAccess",
  "IsAttachable": "true",
  "Path": "/",
  "DefaultVersionId": "v15",
  "PolicyId": "ANPACKCEVSQ6C2EXAMPLE"
}

Query AWS Inline Policies

Query all inline policies:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__INLINEPOLICY__?_queryFilter=True"
Response
{
  "result": [
    {
      "_id": "Demo_Inline",
      "Username": "Enduser",
      "PolicyDocument": "%7B%20%09%22Version%22%3A%20%222012-10-17%22%2C%20%09%22Statement%22%3A%20%5B%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%5B%20%09%09%09%09%22iam%3AGenerateCredentialReport%22%2C%20%09%09%09%09%22iam%3AGetAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetailsWithEntities%22%2C%20%09%09%09%09%22iam%3AListServerCertificates%22%2C%20%09%09%09%09%22iam%3ASetSTSRegionalEndpointStatus%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetails%22%2C%20%09%09%09%09%22iam%3AListVirtualMFADevices%22%2C%20%09%09%09%09%22iam%3AGetOrganizationsAccessReport%22%2C%20%09%09%09%09%22iam%3ASetSecurityTokenServicePreferences%22%2C%20%09%09%09%09%22iam%3AUpdateAccountName%22%2C%20%09%09%09%09%22iam%3ASimulateCustomPolicy%22%2C%20%09%09%09%09%22iam%3AGetAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ACreateAccountAlias%22%2C%20%09%09%09%09%22iam%3AUpdateAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetAccountAuthorizationDetails%22%2C%20%09%09%09%09%22iam%3ADeleteCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ADeleteAccountAlias%22%2C%20%09%09%09%09%22iam%3AGetCredentialReport%22%2C%20%09%09%09%09%22iam%3AListPolicies%22%2C%20%09%09%09%09%22iam%3ADeleteAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListSAMLProviders%22%2C%20%09%09%09%09%22iam%3AListCloudFrontPublicKeys%22%2C%20%09%09%09%09%22iam%3AListRoles%22%2C%20%09%09%09%09%22iam%3AListInstanceProfiles%22%2C%20%09%09%09%09%22iam%3AUploadCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetContextKeysForCustomPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListOpenIDConnectProviders%22%2C%20%09%09%09%09%22iam%3AGetAccountName%22%2C%20%09%09%09%09%22iam%3AListAccountAliases%22%2C%20%09%09%09%09%22iam%3AListUsers%22%2C%20%09%09%09%09%22iam%3AListGroups%22%2C%20%09%09%09%09%22iam%3AListSTSRegionalEndpointsStatus%22%2C%20%09%09%09%09%22iam%3AGetAccountSummary%22%20%09%09%09%5D%2C%20%09%09%09%22Resource%22%3A%20%22%2A%22%20%09%09%7D%2C%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor1%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%20%09%09%09%22Resource%22%3A%20%5B%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Auser%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aaccess-report%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aoidc-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Apolicy%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Amfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Ainstance-profile%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asms-mfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Agroup%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asaml-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Arole%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aserver-certificate%2F%2A%22%20%09%09%09%5D%20%09%09%7D%20%09%5D%20%7D",
      "PolicyName": "Demo_Inline",
      "__NAME__": "Demo_Inline"
    },
    {
      "_id": "inline_example",
      "Username": "Enduser",
      "PolicyDocument": "%7B%0A%09%22Version%22%3A%20%222012-10-17%22%2C%0A%09%22Statement%22%3A%20%5B%0A%09%09%7B%0A%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%0A%09%09%09%22Effect%22%3A%20%22Allow%22%2C%0A%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%0A%09%09%09%22Resource%22%3A%20%22%2A%22%0A%09%09%7D%0A%09%5D%0A%7D",
      "PolicyName": "inline_example",
      "__NAME__": "inline_example"
    },
    {
      "_id": "Test_Inline_Policy",
      "Username": "Enduser",
      "PolicyDocument": "%7B%0A%09%22Version%22%3A%20%222012-10-17%22%2C%0A%09%22Statement%22%3A%20%5B%0A%09%09%7B%0A%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%0A%09%09%09%22Effect%22%3A%20%22Allow%22%2C%0A%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%0A%09%09%09%22Resource%22%3A%20%22%2A%22%0A%09%09%7D%0A%09%5D%0A%7D",
      "PolicyName": "Test_Inline_Policy",
      "__NAME__": "Test_Inline_Policy"
    }
  ],
  ...
}

Query a specific inline policy:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__INLINEPOLICY__/Demo_Inline"
Response
{
  "_id": "Demo_Inline",
  "Username": "Enduser",
  "PolicyDocument": "%7B%20%09%22Version%22%3A%20%222012-10-17%22%2C%20%09%22Statement%22%3A%20%5B%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor0%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%5B%20%09%09%09%09%22iam%3AGenerateCredentialReport%22%2C%20%09%09%09%09%22iam%3AGetAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetailsWithEntities%22%2C%20%09%09%09%09%22iam%3AListServerCertificates%22%2C%20%09%09%09%09%22iam%3ASetSTSRegionalEndpointStatus%22%2C%20%09%09%09%09%22iam%3AGetServiceLastAccessedDetails%22%2C%20%09%09%09%09%22iam%3AListVirtualMFADevices%22%2C%20%09%09%09%09%22iam%3AGetOrganizationsAccessReport%22%2C%20%09%09%09%09%22iam%3ASetSecurityTokenServicePreferences%22%2C%20%09%09%09%09%22iam%3AUpdateAccountName%22%2C%20%09%09%09%09%22iam%3ASimulateCustomPolicy%22%2C%20%09%09%09%09%22iam%3AGetAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ACreateAccountAlias%22%2C%20%09%09%09%09%22iam%3AUpdateAccountEmailAddress%22%2C%20%09%09%09%09%22iam%3AGetAccountAuthorizationDetails%22%2C%20%09%09%09%09%22iam%3ADeleteCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3ADeleteAccountAlias%22%2C%20%09%09%09%09%22iam%3AGetCredentialReport%22%2C%20%09%09%09%09%22iam%3AListPolicies%22%2C%20%09%09%09%09%22iam%3ADeleteAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListSAMLProviders%22%2C%20%09%09%09%09%22iam%3AListCloudFrontPublicKeys%22%2C%20%09%09%09%09%22iam%3AListRoles%22%2C%20%09%09%09%09%22iam%3AListInstanceProfiles%22%2C%20%09%09%09%09%22iam%3AUploadCloudFrontPublicKey%22%2C%20%09%09%09%09%22iam%3AGetContextKeysForCustomPolicy%22%2C%20%09%09%09%09%22iam%3AUpdateAccountPasswordPolicy%22%2C%20%09%09%09%09%22iam%3AListOpenIDConnectProviders%22%2C%20%09%09%09%09%22iam%3AGetAccountName%22%2C%20%09%09%09%09%22iam%3AListAccountAliases%22%2C%20%09%09%09%09%22iam%3AListUsers%22%2C%20%09%09%09%09%22iam%3AListGroups%22%2C%20%09%09%09%09%22iam%3AListSTSRegionalEndpointsStatus%22%2C%20%09%09%09%09%22iam%3AGetAccountSummary%22%20%09%09%09%5D%2C%20%09%09%09%22Resource%22%3A%20%22%2A%22%20%09%09%7D%2C%20%09%09%7B%20%09%09%09%22Sid%22%3A%20%22VisualEditor1%22%2C%20%09%09%09%22Effect%22%3A%20%22Allow%22%2C%20%09%09%09%22Action%22%3A%20%22iam%3A%2A%22%2C%20%09%09%09%22Resource%22%3A%20%5B%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Auser%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aaccess-report%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aoidc-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Apolicy%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Amfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Ainstance-profile%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asms-mfa%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Agroup%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Asaml-provider%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Arole%2F%2A%22%2C%20%09%09%09%09%22arn%3Aaws%3Aiam%3A%3A470686885243%3Aserver-certificate%2F%2A%22%20%09%09%09%5D%20%09%09%7D%20%09%5D%20%7D",
  "PolicyName": "Demo_Inline",
  "__NAME__": "Demo_Inline"
}

Query AWS Service Control Policies (SCPs)

Query all SCPs:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__SERVICECONTROLPOLICY__?_queryFilter=True"
Response
{
  "result": [
    {
      "_id": "p-FullAWSAccess",
      "PolicyName": "FullAWSAccess",
      "__NAME__": "FullAWSAccess",
      "Id": "p-FullAWSAccess",
      "PolicySummary": [
        {
          "Type": "SERVICE_CONTROL_POLICY",
          "Description": "",
          "Arn": "arn:aws:organizations::470686885243:policy/o-r7bvsqr1wd/service_control_policy/p-pcmxrekp",
          "AwsManaged": "false"
        }
      ]
    },
    {
      "_id": "p-pcmxrekp",
      "PolicyName": "Sandbox SCP",
      "__NAME__": "Sandbox SCP",
      "Id": "p-pcmxrekp",
      "PolicySummary": [
        {
          "Type": "SERVICE_CONTROL_POLICY",
          "Description": "",
          "Arn": "arn:aws:organizations::470686885243:policy/o-r7bvsqr1wd/service_control_policy/p-pcmxrekp",
          "AwsManaged": "false"
        }
      ]
    }
  ],
  ...
}

Query a specific SCP:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__SERVICECONTROLPOLICY__/p-DenyHighRiskActions"
Response
{
  "_id": "p-pcmxrekp",
  "PolicyName": "Sandbox SCP",
  "__NAME__": "Sandbox SCP",
  "Id": "p-pcmxrekp",
  "PolicySummary": [
    {
      "Type": "SERVICE_CONTROL_POLICY",
      "Description": "",
      "Arn": "arn:aws:organizations::470686885243:policy/o-r7bvsqr1wd/service_control_policy/p-pcmxrekp",
      "AwsManaged": "false"
    }
  ]
}

Query AWS organizational units

Query all organizational units:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__ORGUNIT__?_queryFilter=True"
Response
{
  "result": [
    {
      "_id": "ou-2g8u-y0g6eo9k",
      "__NAME__": "ORGTEST",
      "ParentId": "ou-2g8u-y0g6eo9k"
    },
    {
      "_id": "ou-2g8u-jvpza68y",
      "OrganizationalUnits": [
        {
          "Arn": "arn:aws:organizations::470686885243:ou/o-r7bvsqr1wd/ou-2g8u-kgsw9s1e",
          "Name": "1-Sandboxchild"
        }
      ],
      "__NAME__": "Sandbox",
      "ParentId": "ou-2g8u-jvpza68y"
    },
    {
      "_id": "ou-2g8u-mfus8u4b",
      "__NAME__": "Tempexample",
      "ParentId": "ou-2g8u-mfus8u4b"
    },
    {
      "_id": "ou-2g8u-b3z1vwel",
      "__NAME__": "TestOrganization",
      "ParentId": "ou-2g8u-b3z1vwel"
    }
  ],
  ...
}

Query a specific organizational unit:

Request
curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--request GET \
"http://localhost:8080/openidm/system/aws/__ORGUNIT__/ou-2g8u-jvpza68y"
Response
{
  "_id": "ou-2g8u-jvpza68y",
  "OrganizationalUnits": [
    {
      "Arn": "arn:aws:organizations::470686885243:ou/o-r7bvsqr1wd/ou-2g8u-kgsw9s1e",
      "Name": "1-Sandboxchild"
    }
  ],
  "__NAME__": "Sandbox",
  "ParentId": "ou-2g8u-jvpza68y"
}

OpenICF Interfaces Implemented by the AWS Connector

The AWS Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script arguments passed in by the application.

Search

Searches the target resource for all objects that match the specified object class and filter.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

AWS Connector Configuration

The AWS Connector has the following configurable properties:

Basic Configuration Properties

Property Type Default Encrypted(1) Required(2)

accessKeyId

String

null

Yes

Provides the Access Key ID to access the AWS IAM Service API.

secretKey

GuardedString

null

Yes

Yes

Provides the Secret Key ID to access the AWS IAM Service API.

roleArn

String

null

Yes

Provides the Amazon Resource Name specifying the Role.

region

String

null

No

Provides the Regions.

pageSize

int

100

No

Provides the Page Size.

credentialsExpiration

int

3600

No

Provides the temporary credentials expiration time in seconds.

parentId

String

null

No

Provides the Parent ID to access the Organization Service.

userName

String

null

No

Provides the UserName to access the Inline policy of a User.

proxyHost

String

null

No

Provides the ProxyHost.

proxyPort

Integer

null

No

Provides the ProxyPort.

proxyUsername

String

null

No

Provides the Proxy Username.

proxyPassword

GuardedString

null

No

Provides the Proxy Password.

connectionTimeout

Integer

10000

No

Provides the Maximum Connection Timeout in milliseconds.

maxConnections

Integer

10

No

Provides the number of Maximum Connections.

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.