If you are using a SCIM integration to automatically provision new users in your infrastructure for single sign-on, you will need to regularly update these tokens as they expire for security purposes.
Google SSO
The access token generated by AWS which is used to provision users will expire and must be updated regularly. AWS will send an email to the root email for the Management account when the token is 90 days from expiration. To update the token:
From the AWS sign in portal, sign into the Identity account as an administrator.
Navigate to IAM Identity Center.
Navigate to “Settings” in the left-hand navigation panel.
In the “Identity Source” panel, select “Actions” and then “Manage Provisioning.”
Click “Generate Token” to issue a new token.
Copy down the token value.
Visit AWS Secrets Manager.
Edit the value for the secret
aws-google-sso-sync
.Update the
SCIMEndpointAccessToken
field to the new token you generated from the management account.Save the secret.
As an administrator, re-apply the
sso-sync/lambda
module in the infrastructure to propagate the new secret to the sso-sync Lambda.Return to IAM Identity Center.
Navigate to “Settings” in the left-hand navigation panel.
In the “Identity Source” panel, select “Actions” and then “Manage Provisioning.”
Select the old token that will soon be expiring.
Click “Delete” to deactivate the older token.