How to Set Up Access Governance Automation App for Jira with AWS

Pre-requisites

Before you begin, make sure you have the following:

• Admin access to Jira Service Management (JSM): Required to configure workflows, custom fields, and automation rules.
• Admin access to AWS : Needed to authorize integrations and manage access provisioning.
• Access Governance Automation app for Jira: Ensure the app is installed from the Atlassian Marketplace and properly licensed via miniOrange.

1: Retrieve Credentials

A. Create a Custom IAM Policy

Define the minimum permissions required for automated provisioning and group management. This custom policy will be attached to the dedicated IAM user you create in Step 2. It restricts the integration to only the AWS IAM actions it actually needs.

Create the Policy in AWS

• Log in to the AWS Management Console.
• Navigate to IAM → Policies.
• Click Create policy.
• Select the JSON tab.
• Remove any existing content and paste the policy JSON shown below.
• Click Next.
• Enter a policy name, for example: AutomatedProvisioningPolicy.
• Review the policy and click Create policy.

Policy JSON - Minimum Required Permissions

        {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:SimulatePrincipalPolicy",
        "iam:CreateUser",
        "iam:DeleteUser",
        "iam:AddUserToGroup",
        "iam:RemoveUserFromGroup",
        "iam:GetUser",
        "iam:ListUsers",
        "iam:ListGroups",
        "iam:ListGroupsForUser"
      ],
      "Resource": "*"
    }
  ]
}

    



Why iam:SimulatePrincipalPolicy is required:

• This permission is used to safely validate whether the configured IAM user has the required permissions. It evaluates permissions without creating or modifying any AWS resources. Without it, the Test Connection step will fail.

Optional: Restrict Policy by Users or Groups

• You can limit which IAM users and groups the policy can manage. These restrictions are recommended for production environments.
• Restrict by Username Pattern, Add a Condition block to limit actions to usernames matching a prefix, e.g.

    app-*:
"Condition": {
  "StringLike": {
    "iam:UserName": "app-*"
  }
}

Restrict by Specific IAM Groups (Recommended), Replace the wildcard Resource with explicit group ARNs:
{
  "Effect": "Allow",
  "Action": [
    "iam:AddUserToGroup",
    "iam:RemoveUserFromGroup"
  ],
  "Resource": [
    "arn:aws:iam::123456789012:group/Admins",
    "arn:aws:iam::123456789012:group/Developers"
  ]
}

• Replace 123456789012 with your actual AWS Account ID.

B. Create a Dedicated IAM User

Create a non-admin IAM user used exclusively for automated provisioning actions.

• Log in to the AWS Management Console.
• Navigate to IAM → Users.
• Click Create user.
• Enter a username, for example: provisioning-user.
• Do not enable "Provide user access to the AWS Management Console".
• Click Next.
• Under Set permissions, choose Attach policies directly.
• Search for and attach the custom policy created in Step 1 (e.g. AutomatedProvisioningPolicy).
• Review and click Create user.

C. Create Access Keys for the IAM User

Generate programmatic credentials to allow the app to perform provisioning actions.

• Navigate to IAM → Users.
• Select the IAM user created in Step 2.
• Open the Security credentials tab.
• Click Create access key.
• Select Third-party service as the use case.
• Click Create access key.
• Copy and securely store the Access Key ID and Secret Access Key.

Important: The Secret Access Key is shown only once and cannot be retrieved later. Make sure to copy it before closing this screen.

2: Connect AWS IAM to the Access Governance Automation App

A. Configure AWS Credentials in the App

• Enter the IAM credentials in Application Access and Governance Workflow to enable automated provisioning.
• After creating the IAM user and generating access keys, open the Application Access and Governance Workflow app in Jira and navigate to the AWS integration configuration screen. Enter the following details:
• Access Key ID: The Access Key ID generated in Step 3.
• Secret Access Key: The Secret Access Key generated in Step 3.
• AWS Account ID: Found in your AWS account profile (top-right corner of the AWS Console).
• AWS Region: The AWS region where your IAM users are managed, e.g. us-east-1.
• Once all fields are filled in, save the configuration before proceeding to the test step.

B. Test Connection

• After saving the configuration, click Test Connection. You will receive a confirmation message indicating whether the configuration is successful. Once verified, the AWS IAM integration is fully set up and ready for automated user lifecycle management.

3: Portal Config — Set Project, Request Type, Fields, Statuses for Access Requests

Configure the Jira project, request type, fields, and status names used by access workflows. Complete this before creating automations.

• Jira Service Management Project: Select the JSM project used for access requests.
• Request Type: Select the request type within the chosen JSM project. This determines which custom fields are available.
• Access Level Field: In the selected JSM project and its request type, create a new custom field of type Select list (single choice). Then select that field here. It will store values like "Application Name - Access level".
• Approver Field: Map the custom field that holds the approver for the request raised.
• Status: Map Approved and Denied status names used by your Jira workflows.
• Click Save Settings.

Access Level options are added to your Jira field when you save a workflow. On app rename, related options are removed and recreated automatically to reflect the new app name.

4: Define Access Rules for AWS

Once your AWS integration is connected, the next step is to define access rules within the Access Governance Automation app for Jira. These rules determine how access requests are routed and approved for your application.

How to Create Access Rules:

• Go to Workflow Automations and click Create New Automation.
• Workflow: Enter a clear name and a short description.

• Access Request:
  1. Select Application.
  2. Enter an Access Level (e.g., L1, L2). When you save the workflow, the system will create the corresponding option in your configured Access Level Jira field, formatted as "Application Name – Access level".
  3. Choose an Approver (licensed, active user). The system stores the user’s accountId and sets it on the Jira issue in the Approver field you selected in Portal Config, when the selected workflow runs for the request.
  4. Enter the Access Group to be granted. This group must already exist in the connected application; otherwise the workflow will not run successfully.
  
• Review and click Save.

After saving, the Access Level option is created automatically if it doesn’t already exist.

5: Review Audit Logs for Compliance and Troubleshooting

Use Audit Logs to search, review, and export activity for troubleshooting and compliance.

• Open Audit Logs.
• Apply filters (Category, Initiator, Date/Range).
• Click Audit Log Actions to export audit logs as CSV/JSON/PDF.

Best Practices for Admins

Maximize the efficiency, security, and compliance of your access management workflows by following these recommended best practices:

• Use service accounts for provider tokens; rotate them regularly.
• Keep Portal Config consistent (fields and status names) across projects.
• Always test connections after credential changes.
• Name workflows clearly (e.g., "AWS – HR L1").
• Review Audit Logs periodically and export for audits.