> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/pam/pam-with-devolutions-server/providers/managed-providers/aws-iam-provider.md). # AWS IAM provider Integrating an AWS IAM provider with Devolutions Server allows you to centralize identity and access management by leveraging your existing AWS credentials. This configuration enables [account discovery](https://docs.devolutions.net/pam/kb/knowledge-base/create-anyidentity-action-script-dvls/#account-discovery), [heartbeat ](https://docs.devolutions.net/pam/kb/knowledge-base/create-anyidentity-action-script-dvls/#heartbeat)monitoring, and [password rotation](https://docs.devolutions.net/pam/concepts/password-rotation/) for your AWS resources. ### Prerequisite * Create a user in AWS who will act as a provider. * Create an access key. * The following permissions are required for the AWS identity provider: {% hint style="info" %} Please refer to the [AWS Identity and Access Management documentation](file:///) for more details on each action. {% endhint %} | **ACTION** | **DESCRIPTION** | | ----------------------------- | ------------------------------------------------------------------- | | `iam:GetUser` | To ensure the necessary permissions are in place before proceeding. | | `iam:SimulatePrincipalPolicy` | To ensure the necessary permissions are in place before proceeding. | #### Account discovery | **ACTION** | **DESCRIPTION** | | -------------------- | ----------------------------- | | `iam:ListAccessKeys` | To get a list of access keys. | | `iam:ListUsers` | To get a list of IAM users. | #### Password reset - Password | **ACTION** | **DESCRIPTION** | | ------------------------ | ---------------------------------------------------------------- | | `iam:GetLoginProfile` | To check whether a login profile needs to be created or updated. | | `iam:CreateLoginProfile` | To generate a password if non exists. | | `iam:UpdateLoginProfile` | To update the password. | #### Password reset - Access key | **ACTION** | **DESCRIPTION** | | --------------------- | ---------------------------------------------------------------------------------------------------------------------------- | | `iam:CreateAccessKey` | To generate an access key on import or rotation. | | `iam:DeleteAccessKey` | To delete the previous access key after rotation. | | `iam:UpdateAccessKey` | To disable the previous access key before deletion. | | `iam:ListUserTags` | To verify if we need to update the tag of an access key | | `iam:TagUser` | To add a tag to the user in the format ``. Note that tags are applied to the user, not the access key. | | `iam:UntagUser` | To remove an existing access key tag. | #### .JSON policy for the AWS console Here is the full .JSON policy for the AWS console. It can be used on a user or a group. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:SimulatePrincipalPolicy", "iam:GetUser", "iam:ListUsers", "iam:ListAccessKeys", "iam:GetLoginProfile", "iam:CreateLoginProfile", "iam:UpdateLoginProfile", "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:UpdateAccessKey", "iam:ListUserTags", "iam:TagUser", "iam:UntagUser" ], "Resource": "*" } ] } ``` ### Configure the AWS IAM provider for Devolutions Server 1. To create the AWS IAM user provider in Devolutions Server, go to ***Administration*** – ***Privileged*** ***access*** – ***Providers*** and click ***Add.*** 2. Click ***AWS IAM User*** under ***Managed***. ![](https://cdnweb.devolutions.net/docs/DVLS6045_2025_3.png) 3. Enter a name and a description. 4. Under ***Credential type***, select ***Custom*** or ***Linked credential***. 5. If ***Custom*** is selected, enter the access key and the secret key from AWS. ![](https://cdnweb.devolutions.net/docs/DVLS6001_2025_2.png) 6. If ***Linked credential*** is selected, choose the privileged account in the drop-down menu. ![](https://cdnweb.devolutions.net/docs/DVLS6002_2025_2.png) 7. Check ***Add*** [***PAM vault***](https://docs.devolutions.net/pam/server/pam-vaults/) or ***Add a new*** [***account discovery configuration***](https://docs.devolutions.net/pam/server/scan-configurations/) if needed.

To do a reset password on import, a password policy must be created that follows the AWS default password policy.

8. Go to the ***Account lifecycle policy*** tab. 9. Select the password policy previously created. 10. Click ***Save*** to close the window. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/pam/pam-with-devolutions-server/providers/managed-providers/aws-iam-provider.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.