Overview
Torii integrates with AWS Identity Center and syncs:
| User Fields | License Types |
|---|---|
| Username | AWS Identity Center |
| Status |
- Torii supports syncing multiple AWS Identity Center accounts.
- You can constantly stay updated with application information from our Integrations Page
>> Integration Capabilities button >> Integration Capabilities table.
Important
✅ Role and policy must be created in your AWS Management account.
Side note:
Even though the role ARN is created within a specific AWS account, it isn’t limited to data from that account only. The Identity Store is defined at an organization-wide level, and all of your AWS accounts are associated with it.
As a result, when Torii lists users from the Identity Store, it retrieves all users in the organization, regardless of which AWS account the role was created under.
Requirements
Accounts & Permissions
- To connect this integration, we require the following:
- Role ARN (Required)
- Region (Required)
- Identity Store ID (Required)
- InstanceArn (Required)
How to Generate the Required Values
1. Retrieve the Identity Store ID and InstanceArn
- Navigate to AWS IAM Identity Center → Settings
-
Copy the Identity Store ID and InstanceArn
2. Create the IAM Policy
- Navigate to the IAM page in your AWS Console.
- Click Policies → Create Policy.
- In the JSON tab, paste the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IdentityStoreRead",
"Effect": "Allow",
"Action": [
"identitystore:ListUsers",
"identitystore:DescribeUser",
"identitystore:ListGroups",
"identitystore:DescribeGroup",
"identitystore:ListGroupMemberships",
"identitystore:ListGroupMembershipsForMember"
],
"Resource": "*"
},
{
"Sid": "IdentityCenterRead",
"Effect": "Allow",
"Action": [
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListAccountAssignmentsForPrincipal",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListManagedPoliciesInPermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso:ListCustomerManagedPolicyReferencesInPermissionSet",
"sso:ListTagsForResource"
],
"Resource": "*"
},
{
"Sid": "OrganizationsReadForAccountNames",
"Effect": "Allow",
"Action": [
"organizations:DescribeOrganization",
"organizations:ListAccounts",
"organizations:DescribeAccount",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}
- Click Next, then give the policy a name (for example, torii-identity-center-integration-policy).
- Click Create Policy.
3. Create the IAM Role
- Go to Roles → Create Role
- Choose AWS Account → Custom trust policy
- Paste the JSON below and replace sts:ExternalId with your Torii Org ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::458158785647:role/torii-integration-delegator"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<Enter Your Torii Organization Id Here>"
}
}
}
]
}
- Click Next
- Search for the policy you've created in the 2nd step, choose it, and click next
- Name the role and click Create Role
- Copy the role ARN
How to Connect the Integration
- Go to the Integrations page in Torii
- Select the AWS Identity Center tile
- Click Connect
- Enter:
- Role ARN
- Identity Store ID
-
Region
- Click Connect
- Once synced, a green checkbox will appear
For any further questions, please contact Torii Support.