AWS Integration: Replace SCIM Token with IAM Role for IAM Identity Center
complete
J
Johannes Rudolph
meshStack's AWS integration for IAM Identity Center requires a SCIM token to manage groups and memberships. This approach presents two significant security challenges:
- Violation of Least Privilege: The SCIM token is overly permissive. It grants meshStack permissions beyond its actual needs (e.g., onboarding or modifying users), when it only needs to manage group creation and memberships.
- Requires manual/semi-automated secret rotation of the SCIM token
AWS SCIM API only supports bearer tokens. This is a documented AWS limitation
> IAM Identity Center SCIM implementation supports the bearer HTTP authentication scheme [...] Other authentication schemes described in the SCIM specifications are not supported at this time.
If meshStack would use the AWS Identity Store APIs (e.g.,
identitystore:CreateGroup
, identitystore:AddMemberToGroup
, etc.) for its integration with AWS this would enable- Enhanced Security (Least Privilege): Customers could attach a granular IAM policy to the role, limiting meshStack only to the specific Identity Store actions it requires.
- Simplified Operations: This would eliminate the need to securely store, manage, and rotate a long-lived SCIM token for the meshStack integration.
- Future-Proof (Secret-less): By moving fully to the AWS SDK (for both Identity Store and SSO Admin), we can enable authentication via Workload Identity Federation (WIF), allowing for a completely secret-less integration.
J
Johannes Rudolph
marked this post as
complete
Update: AWS Identity Store API Integration Now Available
The AWS Identity Store API integration is now live in meshStack v2026.10.0.
What's available now:
- Select "AWS Identity Store API"as the IAM integration type in your AWS platform configuration
- Authenticates meshStack to AWS IAM Identity Store API via IAM roles — compatible with Workload Identity Federation (WIF), no SCIM token required
- Configure your Identity Store ID, SSO Instance ARN, group name pattern, sign-in URL, and role mappings
- Supports locally managed AWS Identity Store users (not only federated identities)
You will need to update your IAM policies to allow the required Identity Store API calls. We're currently updating the terraform-aws-meshplatform reference implementation with the necessary changes.
If you'd like help migrating your existing SCIM-based AWS integration, reach out to our team at support@meshcloud.io.
J
Johannes Rudolph
marked this post as
in progress
J
Johannes Rudolph
marked this post as
under review
We are currently reviewing implementation options for this.
One additional use case that we became aware of that gets unlocked by this feature is that it allows configuring an AWS SSO Instance to use locally managed users instead of federated users from an external identity provider.
Our current research goals are
- introducing an option to use the AWS Identity Store APIs via the existing replicator role + WIF authentication
- introducing these configuration options as a backwards compatible new field in the existing meshPlatform.v2 GA API model