PingOne Privilege

Onboarding Amazon Web Services (AWS) accounts

When you add an AWS account to PingOne Privilege, its resources are automatically discovered and can be managed for just-in-time (JIT) access. You can onboard either a single AWS account or an entire AWS Organization Unit (OU).

Step 1: Start the Add Account wizard

  1. In the PingOne Privilege admin console, go to Cloud > Clouds.

  2. Click Add Account Wizard.

  3. In the Add Account modal, ensure the AWS icon is selected.

  4. Enter a Name and Description for the connection. Click Next.

  5. When asked if you are onboarding an Organization Unit (OU), select Yes or No. Click Next.

Step 2: Deploy the CloudFormation template in AWS

  1. Copy the provided CloudFormation (CFN) template or click Open CF Template to open it in your AWS account.

  2. In your AWS management account, deploy the CloudFormation template.

    You must have sufficient IAM permissions to create the required resources. During deployment, provide the following parameters when prompted:

    • ExternalID: Enter a unique, memorable string that acts as a shared secret. You can copy this value directly from the PingOne Privilege UI.

    • OrgID (OU Only): Enter the ID of the AWS Organization Unit you are onboarding.

  3. After the CloudFormation stack is successfully created, go to its Outputs tab and copy the generated values.

Step 3: Complete the configuration in PingOne Privilege

  1. In the PingOne Privilege admin console, return to the Add Account wizard.

  2. Enter the values you copied from the CloudFormation stack outputs:

    • Cross Account Role ARN: The ARN of the role created by the template.

    • Organization Unit (OU) ID (For OUs only): The ID of the onboarded OU.

    • Advanced Discovery TAGS (Optional): Limit discovery to resources with matching tags.

    • Advanced Discovery REGION (Optional): By default, all enabled regions are scanned. Select specific regions to limit the discovery scope.

  3. Click Verify & Add Account.

Result

The AWS account or OU will now appear in the Cloud Accounts list.

Validation

To ensure the onboarding process was successful:

  1. Sign in to the AWS console for the onboarded account.

  2. Go to the IAM service.

  3. Select Identity providers.

  4. Verify that an identity provider exists with the name Procyon-<YourTenantName>-<YourAWSAccountName>, where <YourTenantName> is your PingOne Privilege tenant name and <YourAWSAccountName> is the name you provided in the wizard.