# Integrating IAM Identity Center
<a name="identity-center-integration"></a>

With AWS IAM Identity Center, you can connect to identity providers (IdPs) and centrally manage access for users and groups across AWS analytics services. You can integrate identity providers such as Okta, Ping, and Microsoft Entra ID (formerly Azure Active Directory) with IAM Identity Center for users in your organization to access data using a single-sign on experience. IAM Identity Center also supports connecting additional third-party identity providers.

For more information see, [Supported identity providers](https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html) in the AWS IAM Identity Center User Guide.

You can configure AWS Lake Formation as an enabled application in IAM Identity Center, and data lake administrators can grant fine-grained permissions to authorized users and groups on AWS Glue Data Catalog resources. 

Users from your organization can sign in to any Identity Center enabled application using your organization’s identity provider, and query datasets applying Lake Formation permissions. With this integration, you can manage access to AWS services, without creating multiple IAM roles.

[Trusted identity propagation](https://docs.aws.amazon.com//singlesignon/latest/userguide/trustedidentitypropagation-overview.html) is an AWS IAM Identity Center feature that administrators of connected AWS services can use to grant and audit access to service data. Access to this data is based on user attributes such as group associations. Setting up trusted identity propagation requires collaboration between the administrators of connected AWS services and the IAM Identity Center administrators. For more information, see [Prerequisites and considerations](https://docs.aws.amazon.com//singlesignon/latest/userguide/trustedidentitypropagation-overall-prerequisites.html).

For limitations, see [IAM Identity Center integration limitations](identity-center-lf-notes.md).

**Topics**
+ [Prerequisites for IAM Identity Center integration with Lake Formation](prerequisites-identity-center.md)
+ [Connecting Lake Formation with IAM Identity Center](connect-lf-identity-center.md)
+ [Updating IAM Identity Center integration](update-lf-identity-center-connection.md)
+ [Deleting a Lake Formation connection with IAM Identity Center](delete-lf-identity-center-connection.md)
+ [Granting permissions to users and groups](grant-permissions-sso.md)
+ [Including IAM Identity Center user context in CloudTrail logs](identity-center-ct-logs.md)

# Prerequisites for IAM Identity Center integration with Lake Formation
<a name="prerequisites-identity-center"></a>

 The following are the prerequisites for integrating IAM Identity Center with Lake Formation. 

1. Enable IAM Identity Center – Enabling IAM Identity Center is a prerequisite to support authentication and identity propagation.

1. Choose your identity source – After you enable IAM Identity Center, you must have an identify provider to manage users and groups. You can either use the built-in Identity Center directory as an identity source or use external IdP, such as Microsoft Entra ID or Okta. 

    For more information, see [Manage your identity source](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) and [Connect to an external identity provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) in the AWS IAM Identity Center User Guide. 

1. Create an IAM role – The role that creates IAM Identity Center connection requires permissions to create and modify application configuration in Lake Formation and IAM Identity Center as in the following inline policy. 

   You need to add permissions per IAM best practices. Specific permissions are detailed in the procedures that follow. For more information, see [Getting started with IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-enable-identity-center.html).

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "lakeformation:CreateLakeFormationIdentityCenterConfiguration",
                   "sso:CreateApplication",
                   "sso:PutApplicationAssignmentConfiguration",
                   "sso:PutApplicationAuthenticationMethod",
                   "sso:PutApplicationGrant",
                   "sso:PutApplicationAccessScope"
               ],
               "Resource": [
                   "*"
               ]
           }
       ]
   }
   ```

------

    If you're sharing Data Catalog resources with external AWS accounts or organizations, you must have the AWS Resource Access Manager (AWS RAM) permissions for creating resource shares. For more information about the permissions required to share resources, see [Cross-account data sharing prerequisites](cross-account-prereqs.md). 

The following inline policies contain specific permissions required to view, update, and delete properties of Lake Formation integration with IAM Identity Center.
+ Use the following inline policy to allow an IAM role to view a Lake Formation integration with IAM Identity Center.

------
#### [ JSON ]

****  

  ```
  {
      "Version":"2012-10-17",		 	 	 
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "lakeformation:DescribeLakeFormationIdentityCenterConfiguration",
                  "sso:DescribeApplication"
              ],
              "Resource": [
                  "*"
              ]
          }
      ]
  }
  ```

------
+ Use the following inline policy to allow an IAM role to update a Lake Formation integration with IAM Identity Center. The policy also includes optional permissions required to share resources with external accounts.

------
#### [ JSON ]

****  

  ```
  {
      "Version":"2012-10-17",		 	 	 
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "lakeformation:UpdateLakeFormationIdentityCenterConfiguration",
                  "lakeformation:DescribeLakeFormationIdentityCenterConfiguration",
                  "sso:DescribeApplication",
                  "sso:UpdateApplication"
              ],
              "Resource": [
                  "*"
              ]
          }
      ]
  }
  ```

------
+ Use the following inline policy to allow an IAM role to delete a Lake Formation integration with IAM Identity Center.

------
#### [ JSON ]

****  

  ```
  {
      "Version":"2012-10-17",		 	 	 
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "lakeformation:DeleteLakeFormationIdentityCenterConfiguration",
                  "sso:DeleteApplication"
              ],
              "Resource": [
                  "*"
              ]
          }
      ]
  }
  ```

------
+ For IAM permissions required to grant or revoke data lake permissions for IAM Identity Center users and groups, see [IAM permissions required to grant or revoke Lake Formation permissions](required-permissions-for-grant.md). 

*Permissions description*
+ `lakeformation:CreateLakeFormationIdentityCenterConfiguration` – Creates the Lake Formation IdC configuration.
+ `lakeformation:DescribeLakeFormationIdentityCenterConfiguration` – Describes an existing IdC configuration.
+ `lakeformation:DeleteLakeFormationIdentityCenterConfiguration` – Gives the ability to delete an existing Lake Formation IdC configuration. 
+ `lakeformation:UpdateLakeFormationIdentityCenterConfiguration` – Used to change an existing Lake Formation configuration.
+ `sso:CreateApplication` – Used to create an IAM Identity Center application.
+ `sso:DeleteApplication` – Used to delete an IAM Identity Center application.
+ `sso:UpdateApplication` – Used to update an IAM Identity Center application.
+ `sso:PutApplicationGrant` – Used to change the trusted token issuer information.
+ `sso:PutApplicationAuthenticationMethod` – Grants Lake Formation authentication access.
+ `sso:GetApplicationGrant` – Used to list trusted token issuer information.
+ `sso:DeleteApplicationGrant` – Deletes the trust token issuer information.
+ `sso:PutApplicationAccessScope` – Adds or updates the list of authorized targets for an IAM Identity Center access scope for an application.
+ `sso:PutApplicationAssignmentConfiguration` – Used to configure how users gain access to an application.

# Connecting Lake Formation with IAM Identity Center
<a name="connect-lf-identity-center"></a>

Before you can use IAM Identity Center to manage identities to grant access to Data Catalog resources using Lake Formation, you must complete the following steps. You can create the IAM Identity Center integration using the Lake Formation console or AWS CLI. 

------
#### [ AWS Management Console ]

**To connect Lake Formation with IAM Identity Center**

1. Sign in to the AWS Management Console, and open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. In the left navigation pane, select **IAM Identity Center integration**.   
![\[IAM Identity Center integration screen with Identity Center ARN.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/identity-center-integ.png)

1. (Optional) Enter one or more valid AWS account IDs, organization IDs, and/or organizational unit IDs to allow external accounts to access the Data Catalog resources. When IAM Identity Center users or groups try to access Lake Formation managed Data Catalog resources, Lake Formation assumes an IAM role to authorize metadata access. If the IAM role belongs to an external account that does not have an AWS Glue resource policy and an AWS RAM resource share, the IAM Identity Center users and groups won't be able to access the resource even if they've Lake Formation permissions.

   Lake Formation uses the AWS Resource Access Manager (AWS RAM) service to share the resource with external accounts and organizations. AWS RAM sends an invitation to the grantee account to accept or reject the resource share. 

   For more information, see [Accepting a resource share invitation from AWS RAM](accepting-ram-invite.md).
**Note**  
Lake Formation permits IAM roles from external accounts to act as carrier roles on behalf of IAM Identity Center users and groups for accessing Data Catalog resources, but permissions can only be granted on Data Catalog resources within the owning account. If you try to grant permissions to IAM Identity Center users and groups on Data Catalog resources in an external account, Lake Formation throws the following error - "Cross-account grants are not supported for the principal." 

1. (Optional) On the **Create Lake Formation integration** screen, specify the ARNs of third-party applications that can access data in Amazon S3 locations registered with Lake Formation. Lake Formation vends scoped-down temporary credentials in the form of AWS STS tokens to registered Amazon S3 locations based on the effective permissions, so that authorized applications can access data on behalf of users.

1. (Optional) On the **Create Lake Formation integration** screen, check mark the Amazon Redshift Connect checkbox in Trusted Identity Propagation to enable Amazon Redshift Federated Permissions discovery via IDC. Lake Formation propagates identity to downstream based on the effective permissions, so that authorized applications can access data on behalf of users.

1. Select **Submit**.

   After the Lake Formation administrator finishes the steps and creates the integration, the IAM Identity Center properties appear in the Lake Formation console. Completing these tasks makes Lake Formation an IAM Identity Center enabled application. The properties in the console include the integration status. The integration status says `Success` when it's completed. This status indicates if IAM Identity Center configuration is completed. 

------
#### [ AWS CLI ]
+ The following example shows how to create Lake Formation integration with IAM Identity Center. You can also specify the `Status` (`ENABLED`, `DISABLED`) of the applications. 

  ```
  aws lakeformation create-lake-formation-identity-center-configuration \
      --catalog-id <123456789012> \
      --instance-arn <arn:aws:sso:::instance/ssoins-112111f12ca1122p> \
      --share-recipients '[{"DataLakePrincipalIdentifier": "<123456789012>"},
                          {"DataLakePrincipalIdentifier": "<555555555555>"}]' \
      --external-filtering '{"AuthorizedTargets": ["<app arn1>", "<app arn2>"], "Status": "ENABLED"}'
  ```
+ The following example shows how to view a Lake Formation integration with IAM Identity Center.

  ```
  aws lakeformation describe-lake-formation-identity-center-configuration
   --catalog-id <123456789012>
  ```
+ The following example shows how to enable `Redshift:Connect` Authorization. Authorization can be ENABLED or DISABLED.

  ```
  aws lakeformation  create-lake-formation-identity-center-configuration \
  --instance-arn <arn:aws:sso:::instance/ssoins-112111f12ca1122p> \
  --service-integrations '[{
    "Redshift": [{
      "RedshiftConnect": {
        "Authorization": "ENABLED"
      }
    }]
  }]'
  ```
+ Use the `describe-lake-formation-identity-center-configuration` command to describe the lake formation identity center application. `Redshift:Connect` service integration is essential for cross-service and cross-cluster IdC identity propagation:

  ```
  aws lakeformation describe-lake-formation-identity-center-configuration --catalog-id <123456789012>
  ```

  Response:

  ```
  {
      "CatalogId": "CATALOG ID",
      "InstanceArn": "INSTANCE ARN",
      "ApplicationArn": "APPLICATION ARN",
      "ShareRecipients": [],
      "ServiceIntegrations": [
          {
              "Redshift": [
                  {
                      "RedshiftConnect": {
                          "Authorization": "ENABLED"
                      }
                  }
              ]
          }
      ]
  }
  ```

------

## Using IAM Identity Center across multiple AWS Regions
<a name="connect-lf-identity-center-multi-region"></a>

Lake Formation supports IAM Identity Center in multiple AWS Regions. You can extend IAM Identity Center from your primary AWS Region to additional Regions for improved performance through proximity to users and reliability. When a new Region is added in IAM Identity Center, you can create Lake Formation Identity Center applications in the new Region without replicating identities from the primary Region. For more details to get started with IAM Identity Center in multiple Regions, see [Multi-Region IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/multi-region-iam-identity-center.html) in the *IAM Identity Center User Guide*.

# Updating IAM Identity Center integration
<a name="update-lf-identity-center-connection"></a>

After creating the connection, you can add third-party applications for the IAM Identity Center integration to integrate with Lake Formation, and get access to Amazon S3 data on behalf of the users. You can also remove existing applications from the IAM Identity Center integration. You can add or remove applications using Lake Formation console, AWS CLI, and using [UpdateLakeFormationIdentityCenterConfiguration](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_UpdateLakeFormationIdentityCenterConfiguration.html) operation. 

**Note**  
After creating IAM Identity Center integration, you can't update the instance `ARN`.

------
#### [ AWS Management Console ]

**To update an existing IAM Identity Center connection with Lake Formation**

1. Sign in to the AWS Management Console, and open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. In the left navigation pane, select **IAM Identity Center integration**.

1. Select **Add** on the **IAM Identity Center integration** page.

1. Enter one or more valid AWS account IDs, organization IDs, and/or organizational unit IDs to allow external accounts to access the Data Catalog resources. 

1. On the **Add applications** screen, enter the application IDs of the third-party applications that you want to integrate with Lake Formation. 

1. Select **Add**.

1. (Optioanlly) On the **IAM Identity Center integration** page you can either enabled trusted identity propagation for Amazon Redshift connect or disable it. Lake Formation propagates identity to downstream based on the effective permissions, so that authorized applications can access data on behalf of users.

------
#### [ AWS CLI ]

You can add or remove third-party applications for the IAM Identity Center integration by running the following AWS CLI command. When you set external filtering status to `ENABLED`, it enables the IAM Identity Center to provide identity management for third-party applications to access data managed by Lake Formation. You can also enable or disable the IAM Identity Center integration by setting the application status. 

```
aws lakeformation update-lake-formation-identity-center-configuration \
 --external-filtering '{"AuthorizedTargets": ["<app arn1>", "<app arn2>"], "Status": "ENABLED"}'\
 --share-recipients '[{"DataLakePrincipalIdentifier": "<444455556666>"}
                     {"DataLakePrincipalIdentifier": "<777788889999>"}]' \
 --application-status ENABLED
```

If you have an existing LF IDC application, but wish to add the `Redshift:Connect` authorization, you can use the following to update your Lake Formation IDC Application. Authorization can be ENABLED or DISABLED.

```
aws lakeformation update-lake-formation-identity-center-configuration \
--service-integrations '[{                                                            
  "Redshift": [{
    "RedshiftConnect": {
      "Authorization": "ENABLED"
    }
  }]
}]'
```

------

# Deleting a Lake Formation connection with IAM Identity Center
<a name="delete-lf-identity-center-connection"></a>

 If you would like to delete an existing IAM Identity Center integration, you can do it using Lake Formation console, AWS CLI, or [DeleteLakeFormationIdentityCenterConfiguration](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_DeleteLakeFormationIdentityCenterConfiguration.html) operation.

------
#### [ AWS Management Console ]

**To delete an existing IAM Identity Center connection with Lake Formation**

1. Sign in to the AWS Management Console, and open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. In the left navigation pane, select **IAM Identity Center integration**.

1. Select **Delete** on the **IAM Identity Center integration** page.

1. On the **Confirm integration** screen, confirm the action, and select **Delete**.

------
#### [ AWS CLI ]

You can delete IAM Identity Center integration by running the following AWS CLI command. 

```
 aws lakeformation delete-lake-formation-identity-center-configuration \
     --catalog-id <123456789012>
```

------

# Granting permissions to users and groups
<a name="grant-permissions-sso"></a>

Your data lake administrator can grant permissions to IAM Identity Center users and groups on Data Catalog resources (databases, tables, and views) to allow easy data access. To grant or revoke data lake permissions, the grantor requires permissions for the following IAM Identity Center actions.
+ [DescribeUser](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html)
+ [DescribeGroup](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeGroup.html)
+ [DescribeInstance](https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_DescribeInstance.html)

You can grant permissions by using the Lake Formation console, the API, or the AWS CLI.

For more information on granting permissions, see [Granting permissions on Data Catalog resources](granting-catalog-permissions.md). 

**Note**  
You can only grant permissions on resources in your account. To cascade permissions to users and groups on resources shared with you, you must use AWS RAM resources shares.

------
#### [ AWS Management Console ]

**To grant permissions to users and groups**

1. Sign in to the AWS Management Console, and open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. Select **Data lake permissions** under **Permissions** in the Lake Formation console. 

1. Select **Grant**.

1. On the **Grant data lake permissions** page, choose, **IAM Identity Center** users and groups. 

1. Select **Add** to choose the users and groups to grant permissions.  
![\[Grant data lake permissions screen with IAM Identity Center users and groups selected.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/identity-center-grant-perm.png)

1. On the **Assign users and groups** screen, choose the users and/or groups to grant permissions.

   Select **Assign**.  
![\[Grant data lake permissions screen with IAM Identity Center users and groups selected.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/identity-center-assign-users-groups.png)

1. Next, choose the method to grant permissions.

   For instructions on granting permissions using named resources method, see [Granting data permissions using the named resource method](granting-cat-perms-named-resource.md).

   For instructions on granting permission using LF-Tags, see [Granting data lake permissions using the LF-TBAC method](granting-catalog-perms-TBAC.md).

1. Choose the Data Catalog resources on which you want to grant permissions.

1. Choose the Data Catalog permissions to grant.

1. Select **Grant**.

------
#### [ AWS CLI ]

The following example shows how to grant IAM Identity Center user `SELECT` permission on a table.

```
aws lakeformation grant-permissions \
--principal DataLakePrincipalIdentifier=arn:aws:identitystore:::user/<UserId> \
--permissions "SELECT" \
--resource '{ "Table": { "DatabaseName": "retail", "TableWildcard": {} } }'
```

To retrieve `UserId` from IAM Identity Center, see [GetUserId](https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_GetUserId.html) operation in the IAM Identity Center API Reference.

------

# Including IAM Identity Center user context in CloudTrail logs
<a name="identity-center-ct-logs"></a>

Lake Formation uses [credential vending](using-cred-vending.md) functionality to provide temporary access to Amazon S3 data. By default, when an IAM Identity Center user submits a query to an integrated analytics service, the CloudTrail logs only include the IAM role assumed by the service to provide short term access. If you use a user-defined role to register the Amazon S3 data location with Lake Formation, you can opt in to include the IAM Identity Center user's context in the CloudTrail events, and then track the users that access your resources.

**Important**  
To include object-level Amazon S3 API requests in the CloudTrail, you need to enable CloudTrail event logging for Amazon S3 bucket and objects. For more inormation, see [Enabling CloudTrail event logging for Amazon S3 buckets and objects](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) in the Amazon S3 User Guide.

**To enable credential vending auditing on data lake locations registered with user-defined roles**

1. Sign in to the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

1. In the left-side navigation, expand **Administration**, and choose **Data Catalog settings**.

1. Under **Enhanced auditing**, choose **Propagate provided context.**

1. Choose **Save**.

 You can also enable the enhanced auditing option by setting the `Parameters` attribute in the [PutDataLakeSettings](https://docs.aws.amazon.com/lake-formation/latest/APIReference/API_PutDataLakeSettings.html) operation. By default, the `SET_CONTEXT"` parameter value is set to "true".

```
{
    "DataLakeSettings": {
        "Parameters": {"SET_CONTEXT": "true"},
    }
}
```

The following is an excerpt from a CloudTrail event with the enhanced auditing option. This log includes both the IAM Identity Center user's session context and the user-defined IAM role assumed by Lake Formation to access the Amazon S3 data location. See the `onBehalfOf` parameter in the following excerpt.

```
{
         "eventVersion":"1.09",
         "userIdentity":{
            "type":"AssumedRole",
            "principalId":"AROAW7F7MOX4OYE6FLIFN:access-grants-e653760c-4e8b-44fd-94d9-309e035b75ab",
            "arn":"arn:aws:sts::123456789012:assumed-role/accessGrantsTestRole/access-grants-e653760c-4e8b-44fd-94d9-309e035b75ab",           
            "accountId":"123456789012",
            "accessKeyId":"ASIAW7F7MOX4CQLD4JIZN",
            "sessionContext":{
               "sessionIssuer":{
                  "type":"Role",
                  "principalId":"AROAW7F7MOX4OYE6FLIFN",
                  "arn":"arn:aws:iam::123456789012:role/accessGrantsTestRole",
                  "accountId":"123456789012",
                  "userName":"accessGrantsTestRole"
               },
               "attributes":{
                  "creationDate":"2023-08-09T17:24:02Z",
                  "mfaAuthenticated":"false"
               }
            },
            "onBehalfOf":{
                "userId": "<identityStoreUserId>",
                "identityStoreArn": "arn:aws:identitystore::<restOfIdentityStoreArn>"
            }
         },
         "eventTime":"2023-08-09T17:25:43Z",
         "eventSource":"s3.amazonaws.com",
         "eventName":"GetObject",
    ....
```