
Amazon IAM
Amazon Web Services- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
Integrates with AWS Identity and Access Management (IAM) to
synchronize the account's IAM configuration into the Brinqa platform. The connector reads instance
profiles, roles (including their attached managed-policy ARNs and inline-policy names), the role
inline policy documents, customer-managed policies, and the default version document of each
customer-managed policy. IAM is a global AWS service, so the connector always calls the global IAM
endpoint (Region.AWS_GLOBAL) regardless of the configured region; when assumeRoleARN lists
multiple roles, each account is synced with its own IAM client.
Data retrieved from Amazon IAM
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| InstanceProfile | Yes | Cloud Resource |
| Role | Yes | Cloud Resource |
| RoleInlinePolicy | Yes | Cloud Resource |
| Policy | Yes | Cloud Resource |
| PolicyVersion | Yes | Cloud Resource |
For detailed steps on how to view the data retrieved from Amazon IAM in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Amazon IAM from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Access key ID | No | — | AWS user access key ID, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Secret access key | No | — | AWS user secret access key, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Default region | No | us-east-1 | Default AWS region. IAM is a global service so this value is informational only; the connector calls the global IAM endpoint regardless. |
| Assume role | No | — | Amazon Resource Name for the role to assume. |
| Session duration | No | 900 | Assume role session duration in seconds. |
| Page size | No | 100 | The maximum number of results to retrieve per operation. |
Authentication
Authentication is shared across the AWS connector bundle via the AwsConfiguration base class.
The IAM sub-connector uses the AWS SDK for Java v2 IamClient, which signs every request with AWS
SigV4 using credentials resolved through the following chain (in order):
- STS AssumeRole — if
assumeRoleARNis configured, the connector assumes that role (using the credentials below as the principal) and uses the resulting temporary session credentials. - Static access keys — if
accessKey/secretKeyare configured, they are used directly. - Default credentials provider chain — environment variables,
~/.aws/credentials, container role, or EC2 instance metadata.
Assumed-role sessions use the configurable sessionDuration (default 900 s) with a unique session
name per sync. assumeRoleARN may be a comma-separated list to sync multiple accounts in one run;
one global IamClient is constructed per role, and each client is closed when its account has been
fully synced.
Required AWS API permissions
| Permission | Purpose |
|---|---|
iam:ListInstanceProfiles | List instance profiles (InstanceProfile model) |
iam:ListRoles | List roles (Role and RoleInlinePolicy models) |
iam:ListAttachedRolePolicies | List a role's attached managed-policy ARNs (Role model) |
iam:ListRolePolicies | List a role's inline-policy names (Role and RoleInlinePolicy models) |
iam:GetRolePolicy | Retrieve a role's inline-policy document (RoleInlinePolicy model) |
iam:ListPolicies | List customer-managed policies (Policy and PolicyVersion models) |
iam:GetPolicyVersion | Retrieve a policy's default version document (PolicyVersion model) |
sts:AssumeRole | Only when assumeRoleARN is set |
How to obtain Amazon IAM credentials
Create an IAM user for AWS access
For the Amazon IAM connector to interact with the AWS SDK and retrieve identity data, you must provide specific AWS credentials and permissions. To create an IAM user, follow these steps:
-
Log in to your organization's AWS Management Console as an administrator.
-
Navigate to the Identity and Access Management (IAM) dashboard.
-
From the navigation pane under Access management, click Users, and then click Create user.
-
Provide a User name, leave the Provide user access to AWS Management Console option unchecked, and then click Next.
-
Click the Attach policies directly option and then click Create policy.
-
Click the JSON tab and paste the following minimum required policy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["iam:ListInstanceProfiles","iam:ListRoles","iam:ListRolePolicies","iam:GetRolePolicy","iam:ListAttachedRolePolicies","iam:ListPolicies","iam:GetPolicyVersion"],"Resource": "*"}]} -
Click Next, provide a name for the policy, and then click Create policy.
-
Back on the Add permissions page, search for and select the policy you just created, and then click Next.
-
Click Create user.
Note: If you do not have permissions to create a new IAM user, contact your AWS administrator. For additional information, see AWS documentation.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
InstanceProfile
| Source Field Name | SDM Attribute |
|---|---|
InstanceProfile.arn | UID |
InstanceProfile.arn | ARN |
InstanceProfile.createDate | FIRST_SEEN |
InstanceProfile.instanceProfileId | INSTANCE_PROFILE_ID |
InstanceProfile.instanceProfileName | INSTANCE_PROFILE_NAME |
InstanceProfile.instanceProfileName (falls back to arn) | NAME |
InstanceProfile.path | PATH |
InstanceProfile.roles[].arn | ROLE_ARNS (multivalued) |
InstanceProfile.tags[] (key:value) | TAGS (multivalued) |
| literal "AWS" | CLOUD_PROVIDER |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Role
| Source Field Name | SDM Attribute |
|---|---|
ListAttachedRolePolicies -> AttachedPolicy.policyArn | ATTACHED_POLICY_ARNS (multivalued) |
| ListRolePolicies -> policyNames | INLINE_POLICY_NAMES (multivalued) |
| literal "AWS" | CLOUD_PROVIDER |
Role.arn | UID |
Role.arn | ARN |
Role.assumeRolePolicyDocument (URL-decoded) | ASSUME_ROLE_POLICY_DOCUMENT |
Role.createDate | FIRST_SEEN |
Role.description | DESCRIPTION |
Role.maxSessionDuration | MAX_SESSION_DURATION |
Role.path | PATH |
Role.permissionsBoundary.permissionsBoundaryArn | PERMISSIONS_BOUNDARY_ARN |
Role.roleId | ROLE_ID |
Role.roleName | ROLE_NAME |
Role.roleName (falls back to arn) | NAME |
Role.tags[] (key:value) | TAGS (multivalued) |
sync timestamp (Instant.now()) | LAST_CAPTURED |
RoleInlinePolicy
| Source Field Name | SDM Attribute |
|---|---|
GetRolePolicy.policyDocument (URL-decoded) | POLICY_DOCUMENT |
| ListRolePolicies -> policyNames entry | POLICY_NAME |
| literal "AWS" | CLOUD_PROVIDER |
Role.arn | ROLE_ARN |
Role.arn + " | UID |
Role.roleName | ROLE_NAME |
Role.roleName + "/" + policyName | NAME |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Policy
| Source Field Name | SDM Attribute |
|---|---|
| literal "AWS" | CLOUD_PROVIDER |
Policy.arn | UID |
Policy.arn | ARN |
Policy.attachmentCount | ATTACHMENT_COUNT |
Policy.createDate | FIRST_SEEN |
Policy.defaultVersionId | DEFAULT_VERSION_ID |
Policy.description | DESCRIPTION |
Policy.isAttachable | IS_ATTACHABLE |
Policy.path | PATH |
Policy.permissionsBoundaryUsageCount | PERMISSIONS_BOUNDARY_USAGE_COUNT |
Policy.policyId | POLICY_ID |
Policy.policyName | POLICY_NAME |
Policy.policyName (falls back to arn) | NAME |
Policy.tags[] (key:value) | TAGS (multivalued) |
Policy.updateDate | SOURCE_LAST_MODIFIED |
sync timestamp (Instant.now()) | LAST_CAPTURED |
PolicyVersion
| Source Field Name | SDM Attribute |
|---|---|
| literal "AWS" | CLOUD_PROVIDER |
Policy.arn | POLICY_ARN |
Policy.arn + " | UID |
Policy.arn + " | NAME |
PolicyVersion.createDate | FIRST_SEEN |
PolicyVersion.document (URL-decoded) | POLICY_DOCUMENT |
PolicyVersion.isDefaultVersion | IS_DEFAULT_VERSION |
PolicyVersion.versionId | VERSION_ID |
sync timestamp (Instant.now()) | LAST_CAPTURED |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
InstanceProfile
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
IamClient) · Endpoint:iam:ListInstanceProfiles
Role
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
IamClient) · Endpoint:iam:ListRoles
RoleInlinePolicy
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
IamClient) · Endpoint:iam:ListRoles
Policy
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
IamClient) · Endpoint:iam:ListPolicies - Default filters:
scope=LOCAL— only customer-managed policies are returned; AWS-managed
PolicyVersion
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
pageSize | maxItems value sent on each IAM List* call. | Shared pageSize configuration (100) | |
parallelismLevel | Number of parallel worker threads. | min(4, CPU cores) | No |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
IamClient) · Endpoint:iam:ListPolicies - Default filters:
scope=LOCAL— only customer-managed policies are returned. Policies with a
Changelog
The Amazon IAM connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | No changes in this release. | N/A |
| 3.1.0 | New Features - New connector — syncs instance profiles, roles, inline role policies, customer-managed policies, and policy versions. Role records expose their attached and inline policies, and trust policies are URL-decoded for direct readability. Improvements - Sync failures are now visible. Previously, certain AWS API errors (throttling, server errors, transient network failures, validation errors) could be silently swallowed during multi-region sync, producing empty results without indicating a problem. These now surface as sync failures with a clear log entry detailing the HTTP status, AWS error code, request id, and service name. Per-region permission gaps (HTTP 401 / 403) still allow the sync to continue across other regions, but are now visible in logs. | N/A |