AWS IAM Identity Center(SSO with all Organization Accounts)
When you are suing AWS organization to manage multiple AWS account together, then it always important how you are managing AWS console login to for each account.
- Like as root/admin user, you would like to login into each AWS account and manger resources.
- Other user specific to any aws account should able to login and manage resources for that specific account only.
- So to manage users for each account one simple way is you can create same user into each AWS account and as per your want to have access, but in this case it will be very difficult to manager each users access by going into each account or even for admin user, user has to maintain multiple accounts as his account created in all AWS account.
- So to avoid above case(managing multiple accounts credentials) - for admin(aws organization) user one way is you can use "Cross account access role" access to able to manager, but still it will be very tedious task.
Preferred way is, you use IAM identity center to create users and manager access centrally from one location. And you need to have just one account and what all AWS account you give access, user will able to login with as SSO.
Demo Steps:
- In case of AWS organization account:
- Login to organization root account and search for IAM Identity Center service.
- Enable it, if not done already.
- note- make sure you are using correct aws region you want and if this is already enabled with any other region, then first you have to delete from that region, so to delete that, switch into that region and then go into setting, from setting go into management tab and then delete.
- once its enabled, then
- create group(from left menu) by giving required name like you can have group admin to access all accounts and then you might have group to manager specific few accounts or you can have group to manager specific service for specific account, so just create those groups with logical names.
- create permission sets(from left menu), here I recommend to create customize permission set and then select what permission you want to attach to that permission set. If you create just by selecting not customize one, then you will be able to map only one permission, so its better to always create customized permission sets and give logical name like admin access or power user access to it.
- create user(from left menu), here give user name and email id and then map into required group.
- now to map group into permission sets and aws accounts which will be managed by that group, go to aws account menu link from left and then as per your each user group you created above, select accounts and then use button assign users and group and there you will be selecting group and also permission sets you want o apply for that group. Do this one by one for each group instead of all at once, otherwise group and permission sets mapping could go wrong where all permission sets can assign to each groups.
- To validate, what group and permission set has been assigned to each account, you can go to each account by clicking each account name into "AWS accounts" page and then check the users and group tab.
- Once all done, then copy the sso login in url from going into setting section and that url you will be using to login and there post login will show you all the account you have access and you can choose/select account to redirect to console.
- We can have our own custom sub domain with sso login url and for that, go to setting section and from there modify the url.
- Also with setting section, you can update rest other setting if you need like, have our own AD instead of AWS central SSO directly or enable 2FA for all the account etc.
- Now use the access portal SSO url and login with the credential, on successful login, it will redirect you to page, where you can see all the AWS accounts you have access to and then you can click on any of them to navigate to aws console:
Categories/Tags: sso~iam identity center