Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS IAM Identity Center (SSO)

This connector targets sso: APIs - permission sets, account assignments, instances, and SSO applications. Users and groups come from Identity Store (identitystore:). AWSSSOReadOnly exists but often needs supplementation; the inline policy below tracks Describe*, Get*, List*, and Search* on sso:. Deploy the role in the management or delegated administrator account.

How it works

DetailValue
CategoryIdentity / access governance
AuthenticationCross-account IAM role

Prerequisites

  • IAM Identity Center enabled for the organization.
  • Permissions to create roles in management or delegated admin.

Connect IAM Identity Center (SSO) to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS IAM Identity Center (SSO)

Find AWS IAM Identity Center (SSO) (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

In the management or delegated administrator account, open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Add the SSO inline policy

Skip attaching only AWSSSOReadOnly if it misses APIs your audit needs - create an inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sso:Describe*",
        "sso:Get*",
        "sso:List*",
        "sso:Search*"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS IAM Identity Center (SSO) shows Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Member-account roles cannot see org SSO config - use management/delegated admin.
Confirm sso:List* / sso:Describe* coverage (wildcard above).
SSO management uses sso:, not identitycenter: for these reads.
External ID mismatch.

See also