Capabilities #

The AWS integration offers all of the functionality that RoleUp supports; listing accounts and memberships, adding and removing accounts, and updating groups.

Note that AWS accounts do include an email address, and thus cannot be automatically merged with identities based on email alone.

Requirements #

In order to add an AWS integration, you must have the permissions required to create an API key with either IAMFullAccess or IAMReadOnlyAccess permissions for your AWS organization.

Setup #

1. To add a new AWS integration, start here.
2. By default the AWS integration requests Read/Write permissions, but can be configured as Read-Only.
3. You will need to create an API key by visiting this AWS page and create a new user with IAMFullAccess or IAMReadOnlyAccess permissions.
4. Optionally, you can specify a path prefix to limit which accounts are synced into RoleUp.
5. Click Add to create the integration once you’ve filled in the required fields.

Onboard #

AWS accounts may be created through RoleUp by providing the username and password of the new user. And optionally, the permission policies and groups for the user. Note that we do not store the password beyond the creation of the account, and force it to be reset after the first use.

Once the account is created, you can relay the username and password to the end user to login. Or if the onboarding is done using the public link, the user can provide the username and password themselves before the account is created.

Offboarding #

To remove an account from AWS:

1. Click the Offboard toggle in the top right of the Identities page
2. Click the Remove button next to the user you to wish remove from AWS
3. Their account will immediately lose access to the integrated AWS organization

Removing the Integration #

1. Go to the integrations list, or click here.
2. Click the Edit button on the AWS integration you wish to remove.
3. At the bottom of the integration configuration page, you may click the Remove Permanently button to remove the integration, all of it’s associated data on RoleUp systems, and delete the encrypted copy of the API key.
4. If you wish to reinstall the AWS integration at a later time, just add the integration back and everything should return to how it was after the accounts are synced.