Documentation

Cloud Platform Connectors

Sync IAM policies, roles, and permissions from AWS, Azure, GCP, and Kubernetes into TigerIdentity for unified access governance.

Overview

Cloud platform connectors enable TigerIdentity to discover and monitor cloud infrastructure access across AWS, Azure, GCP, and Kubernetes. These connectors continuously sync IAM roles, permissions, resource access, and service accounts.

AWS IAM

Identity & Access Management

Azure RBAC

Role-Based Access Control

GCP IAM

Identity & Access Management

Kubernetes

RBAC & Service Accounts

What Gets Synced

IAM Users, Roles, and Groups
Policy Attachments and Permissions
Service Accounts and Workload Identities
Resource Access and Trust Relationships

AWS IAM Connector

Connect to AWS IAM to sync users, roles, policies, and cross-account access across your AWS organization.

IAM Role Assumption Setup

TigerIdentity uses IAM role assumption for secure, credential-free access to your AWS accounts.

# Step 1: Create IAM policy for TigerIdentity
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetUser",
        "iam:ListUsers",
        "iam:GetRole",
        "iam:ListRoles",
        "iam:GetPolicy",
        "iam:ListPolicies",
        "iam:GetPolicyVersion",
        "iam:ListAttachedUserPolicies",
        "iam:ListAttachedRolePolicies",
        "iam:ListGroupsForUser",
        "iam:GetGroup",
        "iam:ListGroups",
        "iam:SimulatePrincipalPolicy",
        "organizations:ListAccounts",
        "organizations:DescribeOrganization",
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}
# Step 2: Create IAM role with trust relationship
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"  # TigerIdentity AWS account
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "your-unique-external-id"
        }
      }
    }
  ]
}

Connector Configuration

# aws-iam-connector.yaml
name: aws-production
type: aws-iam
enabled: true

config:
  # Authentication via role assumption
  authentication:
    method: assume_role
    roleArn: arn:aws:iam::123456789012:role/TigerIdentityRole
    externalId: ${AWS_EXTERNAL_ID}
    sessionDuration: 3600

  # Optional: Use specific region
  region: us-east-1

  # Multi-account support
  accounts:
    # Organization root account
    - accountId: "123456789012"
      name: production
      role: arn:aws:iam::123456789012:role/TigerIdentityRole

    # Member accounts
    - accountId: "234567890123"
      name: staging
      role: arn:aws:iam::234567890123:role/TigerIdentityRole

    - accountId: "345678901234"
      name: development
      role: arn:aws:iam::345678901234:role/TigerIdentityRole

  # Sync configuration
  sync:
    mode: polling
    interval: 10m

    resources:
      - users
      - roles
      - groups
      - policies
      - instance-profiles
      - access-keys

    # Resource filters
    filters:
      roles:
        # Only sync roles matching patterns
        include:
          - "TIG-*"
          - "App-*"
        exclude:
          - "AWS-*"
          - "*-ServiceRole"

      policies:
        # Only sync customer-managed policies
        managedOnly: false

  # Mapping configuration
  mapping:
    role:
      id: Arn
      name: RoleName
      description: Description
      assumeRolePolicy: AssumeRolePolicyDocument
      attachedPolicies: AttachedPolicies
      tags: Tags
      maxSessionDuration: MaxSessionDuration

    user:
      id: Arn
      name: UserName
      path: Path
      createDate: CreateDate
      tags: Tags

    policy:
      id: Arn
      name: PolicyName
      description: Description
      document: PolicyDocument
      isAttachable: IsAttachable

  # Advanced options
  advanced:
    # Resolve policy permissions
    resolvePermissions: true

    # Analyze trust relationships
    analyzeTrustRelationships: true

    # Track unused credentials
    trackUnusedCredentials: true
    unusedThresholdDays: 90

# Rate limiting
rateLimit:
  requestsPerSecond: 10
  burstSize: 20

Azure RBAC Connector

Integrate with Azure Active Directory and Azure RBAC to sync users, groups, roles, and resource access.

Service Principal Setup

Create an Azure AD service principal with the necessary permissions.

# Create service principal via Azure CLI
az ad sp create-for-rbac \
  --name "TigerIdentity-Connector" \
  --role "Reader" \
  --scopes /subscriptions/{subscription-id}

# Grant additional API permissions
az ad app permission add \
  --id {app-id} \
  --api 00000003-0000-0000-c000-000000000000 \
  --api-permissions \
    e1fe6dd8-ba31-4d61-89e7-88639da4683d=Role \  # User.Read.All
    5b567255-7703-4780-807c-7be8301ae99b=Role \  # Group.Read.All
    1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9=Role \  # Directory.Read.All
    9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8=Role     # RoleManagement.Read.All

# Grant admin consent
az ad app permission admin-consent --id {app-id}

Connector Configuration

# azure-rbac-connector.yaml
name: azure-production
type: azure-rbac
enabled: true

config:
  # Authentication
  authentication:
    tenantId: ${AZURE_TENANT_ID}
    clientId: ${AZURE_CLIENT_ID}
    clientSecret: ${AZURE_CLIENT_SECRET}

  # Subscription configuration
  subscriptions:
    - subscriptionId: "12345678-1234-1234-1234-123456789012"
      name: production

    - subscriptionId: "23456789-2345-2345-2345-234567890123"
      name: staging

  # Sync configuration
  sync:
    mode: polling
    interval: 10m

    resources:
      - users              # Azure AD users
      - groups             # Azure AD groups
      - service-principals # Service principals
      - roles              # RBAC role definitions
      - role-assignments   # RBAC role assignments
      - subscriptions      # Subscription info
      - resource-groups    # Resource groups
      - management-groups  # Management groups

  # Mapping
  mapping:
    user:
      id: id
      email: userPrincipalName
      displayName: displayName
      givenName: givenName
      surname: surname
      jobTitle: jobTitle
      department: department
      accountEnabled: accountEnabled

    group:
      id: id
      displayName: displayName
      description: description
      mailEnabled: mailEnabled
      securityEnabled: securityEnabled

    roleAssignment:
      id: id
      scope: scope
      roleDefinitionId: roleDefinitionId
      principalId: principalId
      principalType: principalType

  # Advanced options
  advanced:
    # Include privileged roles
    includePrivilegedRoles: true

    # Analyze conditional access policies
    analyzeConditionalAccess: true

    # Track PIM-eligible roles
    trackPIM: true

# Rate limiting
rateLimit:
  requestsPerSecond: 10

GCP IAM Connector

Connect to Google Cloud IAM to sync users, service accounts, roles, and IAM policy bindings.

Workload Identity Setup

Use Workload Identity Federation for secure, keyless authentication to GCP.

# Create service account with necessary permissions
gcloud iam service-accounts create tigeridentity-connector \
  --display-name="TigerIdentity Connector"

# Grant required roles
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:tigeridentity-connector@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/iam.securityReviewer"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:tigeridentity-connector@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/resourcemanager.organizationViewer"

# Create and download service account key
gcloud iam service-accounts keys create key.json \
  --iam-account=tigeridentity-connector@PROJECT_ID.iam.gserviceaccount.com

Connector Configuration

# gcp-iam-connector.yaml
name: gcp-production
type: gcp-iam
enabled: true

config:
  # Authentication
  authentication:
    type: service_account
    projectId: ${GCP_PROJECT_ID}

    # Option 1: Service account key file
    keyFile: /path/to/service-account-key.json

    # Option 2: Service account key JSON
    credentials: ${GCP_CREDENTIALS_JSON}

  # Organization/project configuration
  organization:
    id: "123456789012"

  projects:
    - projectId: "prod-project-123"
      name: production

    - projectId: "staging-project-456"
      name: staging

  # Sync configuration
  sync:
    mode: polling
    interval: 10m

    resources:
      - users
      - service-accounts
      - roles
      - iam-policies
      - projects
      - folders

  # Mapping
  mapping:
    serviceAccount:
      id: uniqueId
      email: email
      displayName: displayName
      projectId: projectId
      disabled: disabled

    role:
      id: name
      title: title
      description: description
      stage: stage
      includedPermissions: includedPermissions

    iamPolicy:
      bindings: bindings
      etag: etag
      version: version

  # Advanced options
  advanced:
    # Include custom roles
    includeCustomRoles: true

    # Analyze service account keys
    analyzeServiceAccountKeys: true

    # Track workload identity
    trackWorkloadIdentity: true

rateLimit:
  requestsPerSecond: 10

Kubernetes RBAC Connector

Integrate with Kubernetes to sync service accounts, roles, cluster roles, and RBAC bindings.

Kubernetes RBAC Integration

TigerIdentity connects to your Kubernetes clusters using a service account with read permissions.

# Create service account and permissions
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tigeridentity-connector
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tigeridentity-connector
rules:
  - apiGroups: [""]
    resources:
      - serviceaccounts
      - namespaces
      - pods
    verbs: ["get", "list", "watch"]

  - apiGroups: ["rbac.authorization.k8s.io"]
    resources:
      - roles
      - rolebindings
      - clusterroles
      - clusterrolebindings
    verbs: ["get", "list", "watch"]

  - apiGroups: [""]
    resources:
      - secrets
    verbs: ["get", "list"]
    resourceNames:
      - "*-token-*"  # Service account tokens only
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tigeridentity-connector
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: tigeridentity-connector
subjects:
  - kind: ServiceAccount
    name: tigeridentity-connector
    namespace: kube-system

Connector Configuration

# kubernetes-connector.yaml
name: k8s-production
type: kubernetes
enabled: true

config:
  # Cluster connection
  clusters:
    - name: prod-cluster-1
      apiServer: https://prod-k8s-api.example.com

      # Authentication options
      authentication:
        # Option 1: Service account token
        type: service_account
        token: ${K8S_SERVICE_ACCOUNT_TOKEN}

        # Option 2: kubeconfig file
        # type: kubeconfig
        # kubeconfig: /path/to/kubeconfig

      # TLS configuration
      tls:
        insecureSkipVerify: false
        caCert: ${K8S_CA_CERT}

    - name: staging-cluster-1
      apiServer: https://staging-k8s-api.example.com
      authentication:
        type: service_account
        token: ${K8S_STAGING_TOKEN}

  # Sync configuration
  sync:
    mode: polling
    interval: 5m

    resources:
      - service-accounts
      - roles
      - cluster-roles
      - role-bindings
      - cluster-role-bindings
      - namespaces
      - pods  # For workload identity mapping

    # Namespace filters
    namespaces:
      include:
        - "prod-*"
        - "app-*"
      exclude:
        - "kube-system"
        - "kube-public"
        - "kube-node-lease"

  # Mapping
  mapping:
    serviceAccount:
      id: metadata.uid
      name: metadata.name
      namespace: metadata.namespace
      secrets: secrets

    role:
      id: metadata.uid
      name: metadata.name
      namespace: metadata.namespace
      rules: rules

    roleBinding:
      id: metadata.uid
      name: metadata.name
      namespace: metadata.namespace
      subjects: subjects
      roleRef: roleRef

  # Advanced options
  advanced:
    # Analyze pod service account usage
    analyzePodServiceAccounts: true

    # Track unused service accounts
    trackUnusedServiceAccounts: true
    unusedThresholdDays: 30

    # Map to cloud provider identities
    cloudProviderMapping:
      aws:
        enabled: true
        # Map IRSA annotations
        irsaAnnotation: eks.amazonaws.com/role-arn

      gcp:
        enabled: true
        # Map workload identity
        workloadIdentityAnnotation: iam.gke.io/gcp-service-account

      azure:
        enabled: true
        # Map pod identity
        podIdentityAnnotation: aadpodidbinding

rateLimit:
  requestsPerSecond: 50

Related Documentation

Connector Quick Start

Get started with connectors in minutes.

Learn more

Identity Provider Connectors

Connect Okta, Azure AD, Google Workspace, and more.

Learn more

Policy Engine

Create policies using cloud resource context.

Learn more

Building Custom Connectors

Create custom connectors with the SDK.

Learn more

Secure Your Cloud Infrastructure

Get complete visibility into cloud access across AWS, Azure, GCP, and Kubernetes.

Get StartedBrowse All Docs