[03-Jul-2025] This notice only applies to AWS customers on Private Managed Cloud.
We're introducing single sign-on (SSO) for our support team's access to your Snowplow environment. This will standardize how our team authenticates across all customer accounts using our Okta identity platform. There is no action required from you.
What’s changing
To enable SSO functionality, we need to make a one-time update to the trust policy of your SnowplowAdmin role. Specifically, we'll be removing the aws:MultiFactorAuthPresent condition, as Okta SSO handles MFA authentication internally.
The new authentication flow will be: Okta SSO → our internal role → your SnowplowAdmin role. Since Okta doesn't pass MFA context through STS calls (unlike IAM users), the MFA condition in the trust policy needs to be removed. MFA is still enforced at the Okta level, and we've implemented additional role-based controls to ensure only authorized access.
What stays the same
- Your account permissions remain unchanged
- All access continues to be logged in your CloudTrail
- The trust policy still allows assumptions from the Snowplow account (
arn:aws:iam::793733611312:root)
Implementation
We'll handle this update over the coming weeks and will post a confirmation once complete.
If you have any questions about this SSO implementation, please feel free to reach out to the Support Team at support@snowplow.io.