Overview

Torii integrates with AWS IAM and syncs:

• Torii supports syncing multiple AWS IAM accounts.
• You can constantly stay updated with application information from our Integrations Page
  >> Integration Capabilities button >> Integration Capabilities table.

Requirements

Accounts & Permissions

• To connect this integration, we require the following:
  • Role ARN (Required)
  • Region (Optional)

How to Generate the Required Values

1. Create the IAM Policy

• Navigate to the IAM page in your AWS Console.

• Click Policies → Create Policy.

  

  

• In the JSON tab, paste the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListUsers",
        "iam:ListGroups",
        "iam:GetGroup"
      ],
      "Resource": "*"
    }
  ]
}

• Click Next, then give the policy you configured in the previous step a name - for example, torii-integration-policy.

  

• Click Create Policy and confirm it appears in the Policies list.

2. Create the IAM Role

• Go to Roles → Create Role

  

• Choose AWS Account → Custom trust policy

• Paste the JSON object provided below

• Replace sts:ExternalId with your Torii organization ID.

  • (You can find your Org ID in the Torii URL: e.g., from https://app.toriihq.com/team/123456, the Org ID is 123456)

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::458158785647:role/torii-integration-delegator"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "<Enter Your Torii Organization Id Here>"
          }
        }
      }
    ]
  }

• Click Next
• Search for the policy you've created in the 1st step, choose it, and click next

• Name the role and click Create Role
• Last step is to give the role you configured a name - for example, torii-integration-role.

• After creation, search for the role and copy its ARN

• Least-privilege access: only Torii’s dedicated integration role (torii-integration-delegator) is allowed to assume this role.
• External ID validation: Torii must present your unique Torii organization ID when assuming the role, adding protection against unauthorized access and the confused-deputy problem.

How to Connect the Integration

1. Go to the Integrations page in Torii.

2. Select the AWS IAM tile.

   

3. Click Connect.
4. Enter the required values:
   • Role ARN (required)

   • Region (optional)

     

5. Click Connect to finalize the integration.

6. Once the integration is connected and synced, a green checkbox will appear.

   

For any further questions, please contact Torii Support.