J
member badge
Johannes Rudolph
We are deprecating the AWS SSO SCIM-based integration for meshStack's AWS IAM Identity Center connectivity.
This integration method will be
removed on October 1, 2026
.
Why We're Deprecating This
The SCIM token approach has several drawbacks:
  • Over-privileged: The SCIM token grants more permissions than meshStack needs
  • Requires manual rotation of long-lived secrets
  • Reduced auditability in AWS CloudTrail (shared token with other systems like Entra ID)
What Replaces It
The
AWS Identity Store API integration
(available since meshStack v2026.10.0) is the recommended replacement:
  • Uses an IAM role with least-privilege Identity Store permissions
  • Compatible with Workload Identity Federation — fully secret-less operation possible
  • Better CloudTrail auditability per action
  • Supports locally managed IAM Identity Center users
Timeline
  • Now:
    AWS Identity Store API integration is available and recommended for all new AWS platform setups
  • October 1, 2026:
    AWS SSO SCIM integration will be removed from meshStack
Migration
To migrate, follow our in-place upgrade guide:
  1. Apply the updated terraform-aws-meshplatform v0.7.0 module to add Identity Store IAM permissions to your AWS integrations in addition to existing AWS SSO SCIM permissions.
  2. Switch the IAM integration type to "AWS Identity Store API" in your AWS platform configuration. You can do this via meshPanel or you use this opportunity to start managing your meshPlatform via terraform
  3. Remove the old SCIM token and permissions after successful validation
Full migration documentation is available at https://docs.meshcloud.io/docs/integrations/aws/sso-setup.html
If you need help migrating, contact us at support@meshcloud.io or reach out to your Customer Success contact.