Does the AWS IAM Identity Center integration work on the Gateco Free plan?

No. Connecting a real identity provider (AWS, Azure, GCP, or Okta) requires the Growth plan or above. The Free and Team plans support stub IDP configurations for development and testing only.

How long does the initial sync take for a large organization?

For organizations up to 10,000 users, the initial sync typically completes in under 60 seconds. Subsequent syncs run every 60 minutes by default (configurable in Identity Provider settings). You can also trigger a manual sync at any time.

Connect AWS IAM Identity Center to Gateco

This guide walks you through connecting AWS IAM Identity Center to Gateco so that your AWS users and groups become available as principals for identity-aware retrieval policies. Once synced, you can write RAG access control rules like "allow members of the engineering group to retrieve documents classified as internal" — enforcing identity-based access at the retrieval layer without any custom logic in your application.

AWS IAM Identity Center integration requires the Growth plan or above. Free and Team plan users can connect a stub IDP for development.

Step 1 — Enable IAM Identity Center

IAM Identity Center must be enabled in your AWS Organization before you can create an Identity Store.

Open the AWS Console and navigate to IAM Identity Center (search "Identity Center" in the top bar).
If prompted, click Enable. This takes about 30 seconds.
Once enabled, go to Settings. Note the Identity Store ID — it looks like d-90660f8614.
Also note the Region where Identity Center is enabled (e.g. us-east-1).

IAM Identity Center must be enabled in the management account of an AWS Organization. If you see a message about creating an organization, follow the prompts to set one up — it is free.

Step 2 — Create an IAM user for Gateco

Create a dedicated IAM user that Gateco will use to read your Identity Store. Keeping this separate from other service accounts makes it easier to audit and rotate credentials.

Navigate to IAM → Users → Create user.
Username: gateco-idp-reader (or any name meaningful to your org).
On the permissions screen, choose "Attach policies directly" — leave all checkboxes empty for now.
Finish creating the user.
Go to the user → Security credentials → Create access key.
Use case: "Application running outside AWS". Click Next.
Copy both the Access Key ID and Secret Access Key immediately — the secret is shown only once.

Step 3 — Attach the Identity Store read policy

Attach an inline policy with the minimum permissions Gateco needs.

Open the IAM user you created → Add permissions → Create inline policy.
Switch to the JSON editor and paste the policy below.
Name the policy gateco-idp-read and save.

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "identitystore:ListUsers",
        "identitystore:ListGroups",
        "identitystore:ListGroupMemberships",
        "identitystore:DescribeUser",
        "identitystore:DescribeGroup"
      ],
      "Resource": "*"
    }
  ]
}

All identitystore:* actions require "Resource": "*" — AWS does not support resource-level ARN restrictions for the Identity Store service.

Step 4 — Get your Identity Store ID

You already noted this in Step 1, but here is where to find it if you need it again:

Navigate to IAM Identity Center → Settings.
Under "Identity source", copy the Identity store ID (format d-xxxxxxxxxx).

Step 5 — Add credentials to Gateco

In the Gateco dashboard:

Navigate to Identity Providers → Add provider.
Select AWS IAM Identity Center.
Enter the values from the table below.
Click Test connection. Gateco will display the number of users and groups it can read.
Click Save.

Field	Value
`Identity Store ID`	`d-xxxxxxxxxx from IAM Identity Center Settings`
`AWS Region`	`The region where Identity Center is enabled (e.g. us-east-1)`
`Access Key ID`	`The access key ID created in Step 2`
`Secret Access Key`	`The secret access key created in Step 2`

Step 6 — Trigger initial sync

After saving the provider, click Sync now. Gateco will:

List all users from the Identity Store.
List all groups and their memberships.
Create Principal records for each user.
Populate group assignments and department attributes.

Once synced, principals appear in the Principals list and are available for use in policy conditions (principal.groups, principal.attributes.department, etc.).

AWS IAM Identity Center has no native department field. Gateco reads the UserType attribute and maps it to department. Set UserType on your users to enable department-based policy conditions.

Configuration reference

Config field	Example	Required
`identity_store_id`	`d-90660f8614`	`Yes`
`aws_region`	`us-east-1`	`Yes`
`aws_access_key_id`	`AKIAIOSFODNN7EXAMPLE`	`Yes`
`aws_secret_access_key`	`wJalrXUtnFEMI/...`	`Yes`

Troubleshooting

Error	Cause	Fix
`AccessDeniedException: identitystore:ListUsers`	`Policy not attached or not yet propagated`	`Verify the inline policy exists on the IAM user and wait 10 seconds before retrying`
`Users sync but department is empty`	`UserType attribute not set on users`	`Set UserType on each user in IAM Identity Center (custom attribute under Settings → Attributes for access control)`
`Connection test fails with "InvalidClientTokenId"`	`Wrong access key or key deleted`	`Create a new access key and update the credentials in Gateco`

Connect AWS IAM Identity Center to Gateco

Prerequisites

Overview — 6 steps