Friday, 1 August 2025

Introduction to AWS IAM Identity Center




IAM Identity Center (formerly AWS Single Sign-On, or AWS SSO) enables you to centrally manage workforce access to multiple AWS accounts and applications via single sign-on.

IAM vs IAM IC


DO note a difference between:
  • IAM
    • Users
    • User Groups
    • Roles
    • Policies
    • Identity providers
    • Root Access Management
  • IAM Identity Center
    • Users
    • Groups

AWS IAM Users are local, long-term identities within a single account used for programmatic access, while IAM Identity Center Users are modern, centralized identities (usually from an external directory) intended for single sign-on (SSO) access across multiple AWS accounts. Identity Center offers better security, automated lifecycle management, and SSO, whereas IAM is for specific, per-account access. 

Core Differences Between IAM and IAM Identity Center Users


  • Scope & Management:
    • IAM Users: Created within one specific AWS account. Managing access across 10+ accounts requires manual, redundant setup.
    • IAM Identity Center User: Centrally managed across all accounts within an AWS Organization. Enables SSO with one login to access multiple accounts, CLI, and third-party apps.
  • Authentication & Credential Type:
    • IAM Users: Use static, long-term access keys and passwords. Requires manual rotation, which increases security risks.
    • IAM Identity Center User: Uses temporary, short-term credentials, enhancing security by reducing the risk of compromised credentials.
  • External Integration (IdP):
    • IAM Users: Managed only within AWS.
    • IAM Identity Center User: Integrates with external identity providers (IdP) like Okta, Microsoft Entra ID (formerly Azure AD), or Google Workspace via SCIM.
  • Best Practice Usage:
    • IAM Users: Used for "service accounts" (e.g., cron scripts, APIs) that do not support role-based access.
    • IAM Identity Center User: Recommended for all human users accessing the AWS Management Console, Command Line Interface (CLI), or APIs. 

Summary Table


Feature         IAM User                                 IAM Identity Center User
---------------    -------------------------------------       ----------------------------------
Primary Use Single account, long-term apps Multi-account, Human SSO
Credentials Long-term (Key/Password)         Temporary (Token)
Management Decentralized (per account)         Centralized (across Org)
External IdP No                                                 Yes (SCIM)
MFA         Manual setup                                 Enforced (FIDO/TOTP)
Best For         Services/Scripts                         Humans (Devs/Admins)

In short, use IAM Identity Center for people and IAM Users only for machines


IAM Identity Center setup


(1) Confirm your identity source


The identity source is where you administer users and groups, and it is the service that authenticates your users. By default, IAM Identity Center creates an Identity Center directory.

(2) Manage permissions for multiple AWS accounts


Give users and groups access to specific AWS accounts in your organization.

(3) Set up application user and group assignments


Give users and groups access to specific applications configured to work with IAM Identity Center.

(4) Register a delegated administrator


Delegate the ability to manage IAM Identity Center to a member account in your AWS organization.



AWS SSO Authentication


When you run aws sso login, it initiates an authentication flow that communicates with your organization's configured IAM Identity Center instance to obtain temporary AWS credentials for CLI use. This command does not interact with the legacy AWS SSO service, but with the current IAM Identity Center (the new, official name as of July 2022). The authentication process exchanges your SSO credentials for tokens that allow you to use other AWS CLI commands with the associated permissions.

aws sso login --profile my_profile

The profile named in aws sso login --profile my_profile must be defined in your AWS CLI configuration file, specifically in ~/.aws/config (on Linux/macOS) or %USERPROFILE%.aws\config (on Windows).

To define or create an SSO profile, use the interactive command:

aws configure sso --profile my_profile

This command will prompt you for required details such as the SSO start URL, AWS region, account ID, and role name, and then write them into your ~/.aws/config file.

A typical SSO profile configuration in ~/.aws/config might look like:

[profile my_profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = AdministratorAccess

[sso-session my-sso]
sso_start_url = https://myorg.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access


Never define the profile in ~/.aws/credentials; SSO profiles rely on ~/.aws/config.

After defining it, aws sso login --profile my_profile will use the details in ~/.aws/config to initiate login.

The most straightforward method is using aws configure sso with your desired profile name as shown above.

If you already have an SSO session defined, you can reuse it across multiple profiles by referencing the same sso_session.


IAM IC Management via Terraform


The following code shows how to use AWS Terraform Provider in order to manage Identity Center user and group. 


(1) Define SSO Permission Set (SSO Group's Permissions)


/policies/devops-combined-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        ...
        "ecr:*",
        "eks:*",
         ...
        "lambda:*",
        ...
        "s3:*",
        "sqs:*",
         ...
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

data "aws_iam_policy_document" "devops_inline_combined_policy" {
  source_policy_documents = [
    file("${path.module}/policies/devops-combined-policy.json"),
  ]
}


This is just an example. Don't allow all permissions on particular resources, always follow the minimum permissions approach and add granular permissions, when required e.g. lambda:InvokeFunction.

SSO Permission Set resource. It also defines the length of time that the application user sessions are valid in the ISO-8601 standard.

resource "aws_ssoadmin_permission_set" "devops" {
  name             = "DevOps"
  description      = "DevOps"
  instance_arn     = tolist(data.aws_ssoadmin_instances.current.arns)[0]
  session_duration = "PT2H"
}

resource "aws_ssoadmin_permission_set_inline_policy" "devops" {
  inline_policy      = data.aws_iam_policy_document.devops_inline_combined_policy.json
  instance_arn       = aws_ssoadmin_permission_set.devops.instance_arn
  permission_set_arn = aws_ssoadmin_permission_set.devops.arn
}


(2) Define SSO Group


resource "aws_identitystore_group" "devops" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0]
  display_name      = "devops"
}

resource "aws_ssoadmin_account_assignment" "devops_to_main_account" {
  instance_arn       = tolist(data.aws_ssoadmin_instances.current.arns)[0]
  permission_set_arn = aws_ssoadmin_permission_set.devops.arn

  principal_id   = aws_identitystore_group.devops.group_id
  principal_type = "GROUP"

  target_id   = "123456789012"
  target_type = "AWS_ACCOUNT"
}

(3) Define SSO User


To add a new user to Identity Store, we need to have their email which is used in SSO authentication.

resource "aws_identitystore_user" "bojan" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0]

  display_name = "Bojan"
  user_name    = "Bojan"

  name {
    given_name  = "Bojan"
    family_name = "Komazec"
  }

  emails {
    value   = "bojan@example.com"
    primary = true
    type    = "work"
  }
}

resource "aws_identitystore_group_membership" "bojan_to_devops" {
  identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0]
  group_id          = aws_identitystore_group.devops.group_id
  member_id         = aws_identitystore_user.bojan.user_id
}



...
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)