Issue with AWS secret manager "Credential" Retrieval via IAM Role in SailPoint VA for AD Group Automation in PTA

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Developers

We are currently working on automating the privilege task for creating groups in Active Directory. As part of this process, we are trying to configure the “Credential Provider” in Identity Security Cloud (ISC) to retrieve credentials securely from “AWS Secrets Manager”, using the “IAM Role” authentication option.

Steps Performed:

  1. We configured “AWS Secrets Manager” to store and manage credentials required for AD group creation.
  2. In ISC, we set up the “Credential Provider” and selected the “IAM Role” authentication method.
  3. We attempted to retrieve the secret via “AWS CLI” to validate access and functionality.
  4. However, we encountered the error “Command not found” when running the AWS CLI command inside the SailPoint Virtual Appliance (VA), indicating that AWS CLI is not installed.
  5. We attempted to install the AWS CLI on the VA, but it appears that such modifications are restricted, and we are unable to proceed.

Questions/Clarifications:

  • Since AWS CLI is not available and cannot be installed on the SailPoint VA, how should we validate or test credential retrieval using the IAM Role?
  • When using the “IAM Role” option in ISC, how does the system determine which “IAM Role” to assume for retrieving the secret from AWS Secrets Manager?
  • Is there a need to configure an “Identity Provider (IdP)” or additional trust relationships in AWS to allow SailPoint VA to assume the correct IAM Role?

I would really appreciate your help.

Regards
Vatan

2 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"  // Replace if using another AWS service
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": "arn:aws:secretsmanager:your-region:your-account-id:secret:your-secret-name-*"
    }
  ]
}

Use this and let me know

3

HI @ManvithaNalabolu06

thank you for your response.
Looks like we are able to connect with EC2 now.

Can you please me with below error:

Screenshot (9)
Screenshot (9)1913×807 41.6 KB

Thanks

4

The error means SailPoint couldn’t retrieve OUs from Active Directory due to a failed LDAP command. First, ensure the AD account SailPoint uses has read permissions on the OUs. Check that the Base DN is correctly configured in the AD source (e.g., DC=example,DC=com). Test connectivity from the VA to the AD server to ensure network access is working. If all settings are correct, review VA logs for LDAP errors like access denied or referral issues. Let me knbow how taht works

5

Hi Manvitha

Yes there is connectivity issue between VA and domain controller.
For us there is no direct connectivity.
so we are working on it.
thanks

1 Like
6

Ok. Thank you. Let me know if you need anything

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.