Understanding IAM Identity Center
AWS IAM Identity Center is a centralized platform for administrators to define, customize, and assign access to workforce users. It simplifies access management across AWS accounts, apps, and SAML-enabled apps, eliminating the need for long-lived credentials. With AWS SSO, administrators can connect users to resources, manage access, and create/import users. Familiarity with AWS SSO aids in establishing connections between services and using third-party identity providers like OKTA, benefiting professional contexts.
PRE-REQUISITES
- Before proceeding with the configuration, it’s important to establish clear expectations.
- Only the most basic AWS services and features will be used to ensure simplicity.
- The guide has been designed to minimize complexity and ensure ease of use for those who are less familiar with AWS.
- Configuration will be done using the AWS console.
Upon completion of the configuration steps, you will be able to access the AWS account console with a single click via the AWS SSO user portal and utilize credentials for a specific AWS IAM role in a designated AWS account for CLI usage through a single command.
Let us understand the ins and outs of the configuration first.
The configuration:
- Select the region into which you would like to deploy your AWS SSO configuration. Please note that since AWS SSO is restricted to a specific region. For demonstration purposes, the eu-west-1 region will be utilized throughout this blog post.
- Within the search bar, locate the AWS SSO service. Entering “sso” should suffice. Click the service tile to access the corresponding dashboard.
- Upon arriving at the AWS SSO dashboard and presuming that the service is not yet enabled in any other AWS regions, a landing page will be displayed that includes a prominent “Enable AWS SSO” button. Select this button to proceed.
- Provided that no AWS Organizations have been established within the account, the AWS console will prompt you to create one. Select the “Create AWS Organization” button to proceed.
Following a brief delay as the AWS console creates the AWS Organization, you will be directed to the AWS SSO service dashboard.
If you are unfamiliar with AWS and require an explanation of AWS Organizations, consider them to be a tool that simplifies the process of generating multiple AWS accounts.
- Next, it is necessary to generate an AWS account to be utilized with AWS SSO. Locate the AWS Organization that was previously created by searching for the service name.
- Next, select the “Add an AWS account” button.
- To create a new AWS account, choose the name of your preference. Adding the suffix “Development” is recommended to indicate that this account is for experimentation purposes and contains deployed AWS resources.
- The default value for “IAM role name” can be retained, as the permission model of AWS Organizations is beyond the scope of this article. For personal use, there is no need to include any tags.
- Once the AWS account creation and password setup are complete; the next step is to return to the AWS SSO dashboard to complete the configuration.
- To enable SSO access to a specific AWS account, a permission set needs to be created, which is essentially a collection of IAM Policies. To do this, navigate to the “Permission sets” tab in the AWS SSO dashboard and click on “Create permission set“. This step will grant you access to the AWS account without requiring long-lived credentials.
- To create a permission set for acquiring IAM Policies when SSOing into an AWS account, switch to the “Permission sets” tab and click on “Create permission set” in the AWS SSO dashboard.
- In the permission set creation wizard, I recommend selecting “Use an existing job function policy” for the “Type” step, unless you are proficient in writing AWS IAM Policies
- For the “Detail” step, select the “PowerUserAccess” policy and ensure you understand what it grants.
- Tags can be useful in a work environment where multiple teams operate on different resources.
- To proceed with creating a user that can sign into an AWS SSO user portal, navigate to the “Users” tab and locate the “Add user” button. This step is crucial as it allows us to associate the user with a permission set and AWS account later.
- Once the AWS SSO user has been successfully created; it is necessary to integrate all the configurations done so far. To do so, proceed to the “AWS accounts” tab, where the AWS SSO user will be linked with a specific permission set and an AWS account.
Below are a series of screenshots that can aid in navigating the steps of this configuration process.
Testing
Next, we will perform a test on our setup to ensure everything is working properly, starting with accessing the AWS console using AWS SSO.
AWS console access through AWS SSO
Upon completion of step 12 from the aforementioned section, proceed to the “Dashboard” tab of AWS SSO and retrieve the “User portal URL” by copying it.
Once you have successfully signed in with the AWS SSO user credentials, you should be able to select the combination of the AWS account and the permission set that we have configured in the previous section.
The “Management console” link should redirect you to a specific AWS account, where you will be logged in as a federated user with the scope limited to the chosen permission set. It is recommended to bookmark the “User portal URL” for convenient access in the future.
Final Thoughts
Setting up AWS SSO for AWS account login provides a secure and efficient approach to managing user access across multiple AWS accounts. By centralizing authentication and authorization, AWS SSO eliminates the need for long-lived credentials and simplifies the login process for users. With the step-by-step guide provided, users can easily configure AWS SSO, create permission sets, and associate them with AWS accounts and users.
