Users in your admin and member groups will now be able to sign in to Amazon Honeycode using their corporate credentials. It may take up to 4 hours from initial setup, before the full Honeycode service is available for use.
NoteAny subsequent changes made to team groups, domains or changes in group membership (in AWS SSO) may take up to 4 hours to be reflected in Honeycode.
4. Review SSO team details
Verify that your SSO team details are correct and click Finish.
Deleting an SSO team
Deleting an SSO team
To request deletion of an SSO team, please create an AWS support case.
1. From the top menu of the AWS console, select Support > Support center, and then click Create case.
2. File the case under: Account and billing support
3. Under Case details, please make the following selections:
a. Type: General Info and Getting Started b. Category: Using AWS & Services c. Subject: Delete Honeycode SSO team
4. Please include the following details in the support ticket:
• Team ID 5. Click Submit
FAQs
NoteYou will continue to be billed for up to 10 business days after you’ve requested deletion. We will offer you a refund for this time assuming you’ve had no new usage.
FAQs
AWS account & Honeycode
Q: What regions do you currently support?
A: We support us-west-2. Support for additional regions is coming soon.
Q: What identity providers (IdP) do you currently support?
A: All IdPs supported by AWS SSO are supported by Honeycode.
FAQs
Q: Can I use my on-premises active directory to sign in to Honeycode?
A: Yes, you can use AWS AD Connector to connect to your on-premises AD. Complete the setup with AWS SSO and use this setup to sign in to Honeycode. Please refer to How to Connect Your On-Premises Active Directory to AWS Using AD Connector.
Q: Does the AWS Directory Service and AWS SSO need to reside in the same region?
A: Yes, both services need to reside in the same region.
Q: Can I use an external identity provider with AWS SSO?
A: Yes, you can easily connect to any supported identity provider. Learn more about connecting to an external IdP.
Q: Can I use Google Workspace (formerly known as G Suite) as an external IdP for AWS SSO?
A: Yes, you can use any SAML-based identity provider. Learn more about connecting Gsuite to AWS SSO.
Q: Why do I need to add IAM policies to set up single sign-on?
A: In the AWS Management Console, your user can take only actions authorized by policies attached to the user. Honeycode integrates with several AWS services, including AWS SSO and AWS Support, to allow setup of single sign-on. Each AWS service maintains its own AWS-managed policies that grant access to actions of their respective services. See Policies and permissions in IAM for more information.
Q: How long does it take Honeycode to reflect the changes made to users/groups in AWS SSO?
A: It may take up to four hours for your changes to be reflected in Honeycode.
Q: If I have multiple accounts within AWS Organizations, which AWS account should I use to connect to Honeycode?
A: You can use any member account within AWS Organizations to on-board Honeycode SSO. The AWS account that you use, will be billed and connected to your Amazon Honeycode team.
Domains
Q: Why is my domain status still pending?
A: The status may remain pending if Honeycode couldn’t verify domain ownership due to missing TXT records (p. 3) in the DNS. Please note, DNS propagation to reflect the TXT record may take additional time and result in verification delays.
Q: Why did my domain fail verification?
A. A domain will fail verification if it is already claimed or verified in another AWS account. This can also happen if the claim domain request is outstanding for more than 30 days.
Q: How do I remove a verified domain from my AWS account?
A: Please create an AWS support case and include any domain names you’d like to be removed. The Honeycode team will work with you to have them removed.
NoteRemoval of unverified or pending domain names will not have any implications to AWS SSO or the honeycode service.
Q: What happens to teams associated with a verified domain that is removed from my AWS account?
A: Removal of verified domains associated with teams would mean immediate disassociation from all teams. This means that all users with the domain email addresses will also be removed from associated teams and their workbooks and apps will be deleted.
FAQs
Q: How do I remove associated domains from my SSO teams?
A: You can remove any domains associated with an SSO team from the AWS console.
1. Go to Honeycode > Teams and select a team.
2. Click View Details.
3. From the top right, of the Team details page, click Edit.
4. Remove domains from the Select a domain section at the bottom.
NoteRemoval of domains from teams will result in all the users with same the domain email addresses will be removed, and any workbooks or apps solely owned by them will be deleted.
Q: How can I contact support for issues with claiming my domain?
A: If you have followed the steps outlined to claim a domain and the status is still pending, please contact <[email protected]> for support.
Team management
Q: How do I locate my team ID?
A: Your team ID is located in the AWS console on the Team Details page. Go to Honeycode > Teams and select a team. Click View Details.
Q: After I’ve created my first SSO team, how do I create more teams?
A: In the AWS console, go to Honeycode > Teams and click Create SSO team. You’ll be prompted to go through the steps as outlined in Create an SSO team (p. 5).
Q: How do I add new admins and team members?
A: In the AWS console, go to Honeycode > Teams and select the team you’d like to edit. Click View details. You can add more admin and members groups in the fields specified below team details.
Q: How do I delete a team?
A: Currently SSO teams must be manually deleted via an AWS support case. Learn more. (p. 8) Please note you may continue to be billed for 10 days after you delete a team. We will offer you a refund for this time if there is no new usage in your team during this period.
Q: Are there any limits on the number of users and groups that can be added to my Honeycode team?
A: Any restrictions we currently have on users or groups are inherited from AWS SSO or your IdP.
Please refer to AWS SSO limits for details.
Q: What happens if the alias of a team admin or member changes in the IdP?
A: AWS SSO defines the uniqueness criteria here. Honeycode currently relies on user emails to define uniqueness. Change of email address may result in a user not being unable to sign in to Honeycode.
Q: What happens when a group is removed from the team?
A: Removal of a group would mean that the users in that group will no longer be able to sign in to Honeycode. Any workbooks and apps solely owned by the removed users will be deleted.
Q: Can I delete the service linked role used for connecting AWS SSO to Honeycode?
A: AWS IAM will prevent the deletion of the service role while your Honeycode team or resources are in use. Once off-boarded Honeycode completely, you can then remove the service linked role.
FAQs
Workbooks and apps
Q: How are workbooks and apps shared with groups?
A: When sharing workbooks and apps in Honeycode, search for group names as identified in the AWS console. You may share with individual email addresses as well.
Q: What happens to workbooks owned by an admin or team member who leaves an SSO team?
A: If an admin or member is no longer part of a team, all workbooks and apps solely owned by the user are deleted. To avoid any loss of data, Honeycode recommends that workbook owners transfer ownership to a new owner prior to leaving the team.
Q: How can a team admin transfer ownership of a workbook to another admin or team member?
A: Team admins and workbook owners can share a workbook via Honeycode and assign owner status.
Q: What happens to workbooks owned by an admin or team member that is no longer in the IdP?
A: Honeycode uses groups as configured in AWS SSO. If an admin or team member is no longer present in AWS SSO groups, they will be automatically removed from all teams they are assigned to.
NoteRemoval of a team admin or member in your IdP such as Okta, Azure, or Active Directory will not be identified by Honeycode unless the same changes are reflected in AWS SSO.
APIs and integrations
Q: Can I integrate my Honeycode apps with external systems after I activate AWS Single Sign-On?
A: Yes, we support the use of Honeycode APIs/SDKs, plus Zapier, Amazon AppFlow, Webhooks, and future integrations if you are using SSO.
Using Service-Linked Roles
Security in Amazon Honeycode
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:
• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. To learn about the compliance programs that apply to Amazon Honeycode, see AWS Services in Scope by Compliance Program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
This documentation helps you understand how to apply the shared responsibility model when using Honeycode. The following topics show you how to configure Honeycode to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Honeycode resources.
Topics
• Using Service-Linked Roles for Honeycode (p. 13)
Using Service-Linked Roles for Honeycode
Amazon Honeycode uses AWS Identity and Access Management (IAM) linked roles. A service-linked role is a unique type of IAM role that is service-linked directly to Honeycode. Service-service-linked roles are predefined by Honeycode and include all the permissions that the service requires to call other AWS services on your behalf.
A service-linked role makes setting up Honeycode easier because you don’t have to manually add the necessary permissions. Honeycode defines the permissions of its service-linked roles, and unless defined otherwise, only Honeycode can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity.
You can delete a service-linked role only after first deleting their related resources. This protects your Honeycode resources because you can't inadvertently remove permission to access the resources.
For information about other services that support service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.
Service-Linked Role Permissions for Honeycode
Honeycode uses the service-linked role named AWSServiceRoleForAmazonHoneycode – required for Amazon Honeycode to access your resources.
Creating a Service-Linked Role for Honeycode
The AWSServiceRoleForAmazonHoneycode service-linked role trusts the following services to assume the role:
• honeycode.amazonaws.com
The role permissions policy allows Honeycode to complete the following actions on the specified resources:
• Action: sso:GetManagedApplicationInstance on all AWS resources
You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see Service-Linked Role Permissions in the IAM User Guide.
Creating a Service-Linked Role for Honeycode
You don't need to manually create a service-linked role. When you set up Honeycode integration with AWS SSO in the AWS Management Console, the AWS CLI, or the AWS API, Honeycode creates the service-linked role for you.
Important
This service-linked role can appear in your account if you completed an action in another service that uses the features supported by this role. Also, if you were using the Honeycode service before November 18, 2020, when it began supporting service-linked roles, then Honeycode created the AWSServiceRoleForAmazonHoneycode role in your account. To learn more, see A New Role Appeared in My IAM Account.
Creating a Service-Linked Role in Honeycode (Console)
You can use the Honeycode console to create a service-linked role.
Follow the Single Sign-On section of this guide to create the service-linked role.
You can also use the IAM console to create a service-linked role with the Honeycode use case. In the AWS CLI or the AWS API, create a service-linked role with the honeycode.amazonaws.com service name. For more information, see Creating a Service-Linked Role in the IAM User Guide. If you delete this service-linked role, you can use this same process to create the role again.
If you delete this service-linked role, you can use the same IAM process to create the role again.
If you delete this service-linked role, and then need to create it again, you can use the same process to recreate the role in your account. When you set up Honeycode integration with AWS SSO, Honeycode creates the service-linked role for you again.
Editing a Service-Linked Role for Honeycode
Honeycode does not allow you to edit the AWSServiceRoleForAmazonHoneycode service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see Editing a Service-Linked Role in the IAM User Guide.
Deleting a Service-Linked Role for Honeycode
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must clean up your service-linked role before you can manually delete it.
Supported Regions for Honeycode Service-Linked Roles
Cleaning Up a Service-Linked Role
Before you can use IAM to delete a service-linked role, you must first delete any resources used by the role.
To ensure that Honeycode is not using any resources in your account, open an AWS Support Case and request deletion of the service-linked role.
Manually Delete the Service-Linked Role
Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAmazonHoneycode service-linked role. For more information, see Deleting a Service-Linked Role in the IAM User Guide.
Supported Regions for Honeycode Service-Linked Roles
Honeycode supports using service-linked roles in all of the regions where the service is available. For more information, see AWS Regions and Endpoints.
Document History for Administrator's Guide
The following table describes the documentation for this release of Amazon Honeycode.
• API version: latest
• Latest documentation update: Apr 5, 2021
update-history-change update-history-description update-history-date
AWS glossary
For the latest AWS terminology, see the AWS glossary in the AWS General Reference.