AccessOwl integrates with AWS to manage access across your AWS Organization. It works through AWS IAM Identity Center (formerly AWS SSO), syncing permission sets, account assignments, and Identity Store users and groups.Documentation Index
Fetch the complete documentation index at: https://docs.accessowl.com/llms.txt
Use this file to discover all available pages before exploring further.
The integration currently covers Identity Center only. Native IAM users, IAM groups, and IAM roles in your member accounts are not synced or provisioned.
Capabilities
Structure Sync
AccessOwl periodically syncs your AWS Organization accounts, Identity Center permission sets, and Identity Center groups.
User Sync
AccessOwl syncs Identity Center users and groups along with their permission-set assignments per account.
Provisioning
AccessOwl creates Identity Store users, manages group memberships, and grants or revokes permission-set assignments during access requests and revocations.
How the integration works
AccessOwl connects to your AWS Organization by assuming a single IAM role —AccessOwlManagementRole — in your management account. From there it can:
- read your organization’s accounts, Identity Center configuration, and Identity Store directory
- manage account assignments and Identity Store memberships
- assume the standard
OrganizationAccountAccessRolein each member account to discover Identity Center instances delegated outside the management account
- the role’s trust policy, which only allows AccessOwl’s provider role to call
sts:AssumeRole - an External ID that AccessOwl generates per tenant and that must match on every assume-role call, protecting against the confused deputy problem
Prerequisites
- Administrator access to your AWS Organization’s management account
- AWS IAM Identity Center enabled, with its region known (e.g.
eu-north-1) - Member accounts have an
OrganizationAccountAccessRole(see Member-account role below)
Setup
The AccessOwl setup assistant generates the exact JSON policies — with your tenant’s External ID pre-filled — and walks you through the same flow as below. This page focuses on what needs to happen on the AWS side.Create AccessOwlManagementRole in your management account
In your AWS Organization’s management account, create an IAM role named
AccessOwlManagementRole with a custom trust policy — paste the trust-policy JSON shown by AccessOwl. Leave the permissions screen empty during role creation; you’ll attach permissions in the next step.Attach the permissions policy to the role
On
AccessOwlManagementRole, add an inline policy with the permissions JSON shown by AccessOwl, and name it AccessOwlManagementRolePolicy.The policy grants the minimum permissions for sync and provisioning: AWS Organizations (ListAccounts), Identity Center (sso:* for permission sets and account assignments), Identity Store (identitystore:* for users, groups, and memberships), and sts:AssumeRole into OrganizationAccountAccessRole in member accounts.Ensure OrganizationAccountAccessRole exists in member accounts
AccessOwl assumes
OrganizationAccountAccessRole from the management role to discover Identity Center instances that may be delegated to a member account.- Accounts created through AWS Organizations — no action needed; AWS provisions this role automatically with a trust policy for the management account.
- Invited accounts — create the role yourself with a trust policy for the management account and either the AWS-managed
AdministratorAccesspolicy or the same permissions policy used in step 2.
The role name must be exactly
OrganizationAccountAccessRole. A custom name is not currently supported.Validation
After the initial sync completes you should see:- your AWS Organization accounts listed in AccessOwl
- Identity Center permission sets, Identity Store users, and Identity Store groups
Troubleshooting
AccessOwl can't connect to the management role
AccessOwl can't connect to the management role
Check that:
- the External ID in AccessOwl exactly matches
sts:ExternalIdin your trust policy (no leading/trailing whitespace) - the Management Account Role ARN is for
AccessOwlManagementRolein your management account, not a member account - the AWS Region in AccessOwl matches the region of your Identity Center instance
A direct permission-set revocation stays pending with AccessDeniedException
A direct permission-set revocation stays pending with AccessDeniedException
Direct revocation of a permission set from a
USER principal requires both sso:DeleteAccountAssignment and sso:DescribeAccountAssignmentDeletionStatus. Confirm both are present in the inline policy on AccessOwlManagementRole and on the affected member account if you’ve customized the policy there.An Identity Center instance delegated to a member account doesn't show up
An Identity Center instance delegated to a member account doesn't show up
AccessOwl discovers delegated Identity Center instances by assuming
OrganizationAccountAccessRole in each member account. If a delegated instance is missing, verify in that account that the role exists, is named exactly OrganizationAccountAccessRole, and trusts the management account.AWS says 'Has prohibited field Resource' when pasting a policy
AWS says 'Has prohibited field Resource' when pasting a policy
You’re pasting the permissions policy into the trust policy editor. The trust policy goes on the Trust relationships tab (or during role creation under Custom trust policy); the permissions policy goes on the Permissions tab under Add permissions → Create inline policy.