Onboarding Amazon Web Services (AWS) accounts
When you add an AWS account to PingOne Privilege, its resources are discovered automatically and can be managed for just-in-time (JIT) developer access.
To onboard either a single AWS account or an entire AWS Organization Unit (OU):
-
In the PingOne Privilege admin console, go to Cloud > Clouds.
-
Click Add Account Wizard.
The Add Account modal displays.
-
Ensure the AWS icon is selected.
-
In the Name and Description fields, enter identifying details for the connection. Click Next.
-
For an Organization Unit (OU), click Yes. Otherwise, click No. Click Next
-
-
Copy the provided CloudFormation (CFN) template.
-
In your AWS management account, deploy the CloudFormation template.
You must have sufficient IAM permissions to create roles and other required resources. During deployment, provide the following parameters when prompted:
-
AutoProxyDeploy: Select
Enabledto deploy the proxy infrastructure automatically in your VPC. -
ExternalID: Enter a unique, memorable string that acts as a shared secret.
-
OrgID (OU Only): Enter the ID of the AWS Organization Unit you are onboarding.
-
-
After the CloudFormation stack is successfully created, go to its Outputs tab and copy the generated values.
-
In the PingOne Privilege admin console, go to Cloud > Clouds.
-
Enter the values copied from the CloudFormation stack outputs:
-
Cross Account Role ARN: The ARN of the role created by the template. -
External ID: The same unique string you provided as a parameter. -
Organization Unit (OU) ID(OU Only): The ID of the onboarded OU.
-
-
Select Verify & Add Account.
Result
The AWS account or OU now opens in the Cloud Accounts list.