IAM Identity Center (formerly AWS Single Sign-On, or AWS SSO) enables you to centrally manage workforce access to multiple AWS accounts and applications via single sign-on.
IAM vs IAM IC
DO note a difference between:
- IAM
- Users
- User Groups
- Roles
- Policies
- Identity providers
- Root Access Management
- IAM Identity Center
- Users
- Groups
AWS IAM Users are local, long-term identities within a single account used for programmatic access, while IAM Identity Center Users are modern, centralized identities (usually from an external directory) intended for single sign-on (SSO) access across multiple AWS accounts. Identity Center offers better security, automated lifecycle management, and SSO, whereas IAM is for specific, per-account access.
Core Differences Between IAM and IAM Identity Center Users
- Scope & Management:
- IAM Users: Created within one specific AWS account. Managing access across 10+ accounts requires manual, redundant setup.
- IAM Identity Center User: Centrally managed across all accounts within an AWS Organization. Enables SSO with one login to access multiple accounts, CLI, and third-party apps.
- Authentication & Credential Type:
- IAM Users: Use static, long-term access keys and passwords. Requires manual rotation, which increases security risks.
- IAM Identity Center User: Uses temporary, short-term credentials, enhancing security by reducing the risk of compromised credentials.
- External Integration (IdP):
- IAM Users: Managed only within AWS.
- IAM Identity Center User: Integrates with external identity providers (IdP) like Okta, Microsoft Entra ID (formerly Azure AD), or Google Workspace via SCIM.
- Best Practice Usage:
- IAM Users: Used for "service accounts" (e.g., cron scripts, APIs) that do not support role-based access.
- IAM Identity Center User: Recommended for all human users accessing the AWS Management Console, Command Line Interface (CLI), or APIs.
Summary Table
Feature IAM User IAM Identity Center User
--------------- ------------------------------------- ----------------------------------
Primary Use Single account, long-term apps Multi-account, Human SSO
Credentials Long-term (Key/Password) Temporary (Token)
Management Decentralized (per account) Centralized (across Org)
External IdP No Yes (SCIM)
MFA Manual setup Enforced (FIDO/TOTP)
Best For Services/Scripts Humans (Devs/Admins)
In short, use IAM Identity Center for people and IAM Users only for machines
IAM Identity Center setup
(1) Confirm your identity source
The identity source is where you administer users and groups, and it is the service that authenticates your users. By default, IAM Identity Center creates an Identity Center directory.
(2) Manage permissions for multiple AWS accounts
Give users and groups access to specific AWS accounts in your organization.
(3) Set up application user and group assignments
Give users and groups access to specific applications configured to work with IAM Identity Center.
(4) Register a delegated administrator
Delegate the ability to manage IAM Identity Center to a member account in your AWS organization.
AWS SSO Authentication
When you run aws sso login, it initiates an authentication flow that communicates with your organization's configured IAM Identity Center instance to obtain temporary AWS credentials for CLI use. This command does not interact with the legacy AWS SSO service, but with the current IAM Identity Center (the new, official name as of July 2022). The authentication process exchanges your SSO credentials for tokens that allow you to use other AWS CLI commands with the associated permissions.
aws sso login --profile my_profile
The profile named in aws sso login --profile my_profile must be defined in your AWS CLI configuration file, specifically in ~/.aws/config (on Linux/macOS) or %USERPROFILE%.aws\config (on Windows).
To define or create an SSO profile, use the interactive command:
aws configure sso --profile my_profile
This command will prompt you for required details such as the SSO start URL, AWS region, account ID, and role name, and then write them into your ~/.aws/config file.
A typical SSO profile configuration in ~/.aws/config might look like:
[profile my_profile]
sso_session = my-sso
sso_account_id = 123456789012
sso_role_name = AdministratorAccess
[sso-session my-sso]
sso_start_url = https://myorg.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
Never define the profile in ~/.aws/credentials; SSO profiles rely on ~/.aws/config.
After defining it, aws sso login --profile my_profile will use the details in ~/.aws/config to initiate login.
The most straightforward method is using aws configure sso with your desired profile name as shown above.
If you already have an SSO session defined, you can reuse it across multiple profiles by referencing the same sso_session.
IAM IC Management via Terraform
The following code shows how to use AWS Terraform Provider in order to manage Identity Center user and group.
(1) Define SSO Permission Set (SSO Group's Permissions)
/policies/devops-combined-policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
...
"ecr:*",
"eks:*",
...
"lambda:*",
...
"s3:*",
"sqs:*",
...
],
"Effect": "Allow",
"Resource": "*"
}
]
}
data "aws_iam_policy_document" "devops_inline_combined_policy" {
source_policy_documents = [
file("${path.module}/policies/devops-combined-policy.json"),
]
}
This is just an example. Don't allow all permissions on particular resources, always follow the minimum permissions approach and add granular permissions, when required e.g. lambda:InvokeFunction.
SSO Permission Set resource. It also defines the length of time that the application user sessions are valid in the ISO-8601 standard.
resource "aws_ssoadmin_permission_set" "devops" {
name = "DevOps"
description = "DevOps"
instance_arn = tolist(data.aws_ssoadmin_instances.current.arns)[0]
session_duration = "PT2H"
}
resource "aws_ssoadmin_permission_set_inline_policy" "devops" {
inline_policy = data.aws_iam_policy_document.devops_inline_combined_policy.json
instance_arn = aws_ssoadmin_permission_set.devops.instance_arn
permission_set_arn = aws_ssoadmin_permission_set.devops.arn
}
(2) Define SSO Group
resource "aws_identitystore_group" "devops" {
identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0]
display_name = "devops"
}
resource "aws_ssoadmin_account_assignment" "devops_to_main_account" {
instance_arn = tolist(data.aws_ssoadmin_instances.current.arns)[0]
permission_set_arn = aws_ssoadmin_permission_set.devops.arn
principal_id = aws_identitystore_group.devops.group_id
principal_type = "GROUP"
target_id = "123456789012"
target_type = "AWS_ACCOUNT"
}
(3) Define SSO User
To add a new user to Identity Store, we need to have their email which is used in SSO authentication.
resource "aws_identitystore_user" "bojan" {
identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0]
display_name = "Bojan"
user_name = "Bojan"
name {
given_name = "Bojan"
family_name = "Komazec"
}
emails {
value = "bojan@example.com"
primary = true
type = "work"
}
}
resource "aws_identitystore_group_membership" "bojan_to_devops" {
identity_store_id = tolist(data.aws_ssoadmin_instances.current.identity_store_ids)[0]
group_id = aws_identitystore_group.devops.group_id
member_id = aws_identitystore_user.bojan.user_id
}
...
No comments:
Post a Comment