FAQs

AWS account & Honeycode

Q: What regions do you currently support?

A: We support us-west-2. Support for additional regions is coming soon.

Q: What identity providers (IdP) do you currently support?

A: All IdPs supported by AWS IAM Identity Center (successor to AWS SSO) are supported by Honeycode.

Q: Can I use my on-premises active directory to sign in to Honeycode?

A: Yes, you can use AWS AD Connector to connect to your on-premises AD. Complete the setup with AWS IAM Identity Center (successor to AWS SSO) and use this setup to sign in to Honeycode. Please refer to How to Connect Your On-Premises Active Directory to AWS Using AD Connector.

Q: Does the AWS Directory Service and AWS IAM Identity Center (successor to AWS SSO) need to reside in the same region?

A: Yes, both services need to reside in the same region.

Q: Can I use an external identity provider with AWS IAM Identity Center (successor to AWS SSO)?

A: Yes, you can easily connect to any supported identity provider. Learn more about connecting to an external IdP.

Q: Can I use Google Workspace (formerly known as G Suite) as an external IdP for AWS IAM Identity Center (successor to AWS SSO)?

A: Yes, you can use any SAML-based identity provider. Learn more about connecting Gsuite to AWS IAM Identity Center (successor to AWS SSO).

Q: Why do I need to add IAM policies to set up single sign-on?

A: In the AWS Management Console, your user can take only actions authorized by policies attached to the user. Honeycode integrates with several AWS services, including AWS IAM Identity Center (successor to AWS SSO) and AWS Support, to allow setup of single sign-on. Each AWS service maintains its own AWS-managed policies that grant access to actions of their respective services. See Policies and permissions in IAM for more information.

Q: How long does it take Honeycode to reflect the changes made to users/groups in AWS IAM Identity Center (successor to AWS SSO)?

A: It may take up to four hours for your changes to be reflected in Honeycode.

Q: If I have multiple accounts within AWS Organizations, which AWS account should I use to connect to Honeycode?

A: You can use any member account within AWS Organizations to on-board Honeycode SSO. The AWS account that you use, will be billed and connected to your Amazon Honeycode team.

Domains

Q: Why is my domain status still pending?

A: The status may remain pending if Honeycode couldn’t verify domain ownership due to missing TXT records in the DNS. Please note, DNS propagation to reflect the TXT record may take additional time and result in verification delays.

Q: Why did my domain fail verification?

A: A domain will fail verification if it is already claimed or verified in another AWS account. This can also happen if the claim domain request is outstanding for more than 30 days.

Q: How do I remove a verified domain from my AWS account?

A: Please create an AWS support case and include any domain names you’d like to be removed. The Honeycode team will work with you to have them removed.

Note

Removal of unverified or pending domain names will not have any implications to AWS IAM Identity Center (successor to AWS SSO) or the honeycode service.

Q: What happens to teams associated with a verified domain that is removed from my AWS account?

A: Removal of verified domains associated with teams would mean immediate disassociation from all teams. This means that all users with the domain email addresses will also be removed from associated teams and their workbooks and apps will be deleted.

Q: How do I remove associated domains from my SSO teams?

A: You can remove any domains associated with an SSO team from the AWS console.

1. Go to Honeycode > Teams and select a team.

2. Click View Details.

3. From the top right, of the Team details page, click Edit.

4. Remove domains from the Select a domain section at the bottom.

Note

Removing a domain from your team will cause Honeycode to remove all users having that domain in their email address. Any workbooks or apps solely owned by these users will be deleted.

Q: How can I contact support for issues with claiming my domain?

A: If you have followed the steps outlined to claim a domain and the status is still pending, please contact <honeycode-bd@amazon.com> for support.

Team management

Q: How do I locate my team ID?

A: Your team ID is located in the AWS console on the Team Details page. Go to Honeycode > Teams and select a team. Click View Details.

Q: After I’ve created my first SSO team, how do I create more teams?

A: In the AWS console, go to Honeycode > Teams and click Create SSO team. You’ll be prompted to go through the steps as outlined in Create an SSO team.

Q: How do I add new admins and team members?

A: In the AWS console, go to Honeycode > Teams and select the team you’d like to edit. Click View details. You can add more admin and members groups in the fields specified below team details.

Q: How do I delete a team?

A: Currently SSO teams must be manually deleted via an AWS support case. Learn more. Please note you may continue to be billed for 10 days after you delete a team. We will offer you a refund for this time if there is no new usage in your team during this period.

Q: Are there any limits on the number of users and groups that can be added to my Honeycode team?

A: Any restrictions we currently have on users or groups are inherited from AWS IAM Identity Center (successor to AWS SSO) or your IdP. Please refer to AWS IAM Identity Center (successor to AWS SSO) limits for details.

Q: What happens if the alias of a team admin or member changes in the IdP?

A: AWS IAM Identity Center (successor to AWS SSO) defines the uniqueness criteria here. Honeycode currently relies on user emails to define uniqueness. Change of email address may result in a user not being unable to sign in to Honeycode.

Q: What happens when a group is removed from the team?

A: Removal of a group would mean that the users in that group will no longer be able to sign in to Honeycode. Any workbooks and apps solely owned by the removed users will be deleted.

Q: Can I delete the service linked role used for connecting IAM Identity Center to Honeycode?

A: AWS IAM will prevent the deletion of the service role while your Honeycode team or resources are in use. Once off-boarded Honeycode completely, you can then remove the service linked role.

Workbooks and apps

Q: How are workbooks and apps shared with groups?

A: When sharing workbooks and apps in Honeycode, search for group names as identified in the AWS console. You may share with individual email addresses as well.

Q: What happens to workbooks owned by an admin or team member who leaves an SSO team?

A: If an admin or member is no longer part of a team, all workbooks and apps solely owned by the user are deleted. To avoid any loss of data, Honeycode recommends that workbook owners transfer ownership to a new owner prior to leaving the team.

Q: How can a team admin transfer ownership of a workbook to another admin or team member?

A: Team admins and workbook owners can share a workbook via Honeycode and assign owner status.

Q: What happens to workbooks owned by an admin or team member that is no longer in the IdP?

A: Honeycode uses groups as configured in AWS IAM Identity Center (successor to AWS SSO). If an admin or team member is no longer present in AWS IAM Identity Center groups, they will be automatically removed from all teams they are assigned to.

Note

Removal of a team admin or member in your IdP such as Okta, Azure, or Active Directory will not be identified by Honeycode unless the same changes are reflected in AWS IAM Identity Center (successor to AWS SSO).

APIs and integrations

Q: Can I integrate my Honeycode apps with external systems after I activate IAM Identity Center?

A: Yes, we support the use of Honeycode APIs/SDKs, plus Zapier, Amazon AppFlow, Webhooks, and future integrations if you are using SSO.