Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS IAM Identity Center (Identity Store)

This source reads users, groups, and memberships through the identitystore: API - the directory layer behind IAM Identity Center. Permission sets, account assignments, and SSO applications live under sso: and are covered by IAM Identity Center (SSO). Create the role in your organization management or delegated administrator account where Identity Center is enabled. AWS does not ship a minimal managed policy only for Identity Store. Use the inline JSON below.

How it works

DetailValue
CategoryIdentity
AuthenticationCross-account IAM role

Prerequisites

  • IAM Identity Center enabled; role in management or delegated admin account.
  • d-xxxxxxxxxx Identity Store ID is discoverable in console Settings once Iru connects.

Connect Identity Store to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS IAM Identity Center (Identity Store)

Find AWS IAM Identity Center (Identity Store) (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

In the management or delegated administrator account, open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Skip broad managed policies

Advance without attaching AWSSSOReadOnly unless your team standardized on it - Identity Store reads are narrower.
4

Add the Identity Store inline policy

Create an inline policy with this JSON:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:Describe*",
        "identitystore:Get*",
        "identitystore:List*"
      ],
      "Resource": "*"
    }
  ]
}
5

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until Identity Store shows Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Wrong account - use management or delegated admin where Identity Center runs.
Use identitystore:, not sso:.
External ID mismatch.

Considerations

Identity Center home Region is fixed per…

Identity Center home Region is fixed per organization; evidence reflects that deployment model.

See also