Identity Federation for AWSAdministering Identity Federation for AWS

Administering Identity Federation for AWS

Owned by Steffen Opel [Utoolity]
Last updated: 24.01.2022Version comment

Identity Federation for AWS is an Amazon Web Services (AWS) integration app that provides Temporary AWS Security Credentials to Atlassian groups and enables access control to AWS Resources via Identity and Access Management (IAM) Policies – from a technical perspective it implements an Identity Broker/Token Vendor that uses the Atlassian Authentication System (Crowd) to Grant Access to AWS Resources. Administering the app comprises regular app maintenance as well as AWS integration and resource management.

Administration

Maintaining the app

The following topics are applicable to regular app maintenance:

Managing AWS resources

The following topics are applicable to AWS resource management:

  • Page:
    Providing AWS Security Credentials — In order to provide temporary AWS security credentials for other apps via a REST API and single sign-on (SSO) to the AWS Management Console, you need to provide long term AWS security credentials within Identity Federation for AWS.
  • Page:
    Configuring an AWS Access Key — In order to create AWS connectors, you need to add at least one AWS Access Key, which provides the required long-term AWS security credentials used to derive temporary AWS security credentials for your Atlassian users – refer to Create individual IAM users for details.
  • Page:
    Configuring an AWS Connector — In order to enable access to your AWS resources, you need to create at least one AWS Connector.
  • Page:
    Provisioning AWS Resources — You likely need to provision a few dedicated AWS resources to get started with identity federation. To ease this, there are two AWS CloudFormation templates to choose from.

Configuring an AWS connector

Refer to Configuring an AWS connector for details.

Configuring advanced scenarios

The following topics are applicable to advanced scenarios only:

  • Page:
    Configuring an Outbound HTTP(S) Proxy — If your Bamboo or Jira instance is running behind a firewall, the app will reuse the proxy configuration from the Atlassian host application.
  • Page:
    Configuring the AWS Client — The AWS API is eventually consistent only and also exhibits a customer specific dynamic throttling policy, both of which require respective retry logic to be in place. While the facilitated AWS SDK for Java features an exponential backoff strategy, it defaults to 2-3 retries only (accumulating to a retry window of up to ~4 seconds), which has proven to be too low for the use case at hand. The values are configurable accordingly, with an increased default of 7 retries (accumulating to a retry window of up to ~1 minute).
  • Page:
    Enabling Labs Features — Labs features are giving you a sneak preview of new features coming in future releases of Identity Federation for AWS. You can enable/disable each feature individually at any time.

How-to Articles

Frequently Asked Questions (FAQ)



Atlassian®, Atlassian Bamboo®, Bitbucket®, Atlassian Crowd®, Confluence®, Jira®, Jira Service Management™, Opsgenie®, and Statuspage™ are registered trademarks of Atlassian.
Amazon Web Services™, AWS™ and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

Utoolity® is a registered trademark of Utoolity GmbH.
© 2022 Utoolity GmbH. All rights reserved.