A
Identity Provider

AWS IAM Identity Center

Sync AWS IAM Identity Center users and groups to Gateco for identity-aware retrieval on AWS workloads.

AWS IAM Identity Center (formerly AWS SSO) is Amazon's cloud identity service for centralizing access to AWS accounts and applications. Gateco integrates with IAM Identity Center via the Identity Store API, syncing users and groups to power principal-based retrieval policies.

AWS IAM Identity Center has no native department field. Gateco maps the UserType attribute to department during sync — the standard Gateco convention for AWS workloads. Seed your IAM Identity Center users with UserType set to their department name to enable department-based ABAC policies.

Group membership in IAM Identity Center is synced to Gateco's principal groups array. Permission sets are not synced — Gateco operates on group names, not AWS IAM permission sets.

The AWS IDP adapter requires identity_store_id, aws_access_key_id, aws_secret_access_key, and region in the connector config.

Sample policy

{
  "name": "AWS team access",
  "effect": "allow",
  "rules": [{
    "conditions": [
      {"field": "principal.department", "operator": "eq", "value": "engineering"},
      {"field": "resource.classification", "operator": "in", "value": ["internal", "public"]}
    ]
  }],
  "selectors": [{}]
}

Policy conditions reference resource.* and principal.* fields. Policy reference →

Frequently asked questions

How does Gateco map AWS IAM Identity Center attributes?
UserType → department (Gateco convention; no native department field in AWS). Email and display name are synced directly. AWS SSO groups become the principal's groups array. Permission sets are not synced.
What IAM permissions does the Gateco access key need?
Minimum: identitystore:ListUsers, identitystore:ListGroups, identitystore:DescribeUser. The connection test also calls sso-admin:ListInstances — if you omit this permission, the test shows a partial error but sync works correctly.
Can I use AWS Cognito with Gateco?
Not directly — the AWS adapter is specific to IAM Identity Center. If you use Cognito, the Stub adapter supports manual principal enrollment. Contact enterprise@gateco.ai to discuss a Cognito adapter.

Ready to connect AWS IAM Identity Center?

Follow the step-by-step setup guide or talk to the team for help with your specific configuration.

Setup guide →Talk to the teamAll integrations