AWS IAM Identity Center simplifies calls to AWS services with single identity context
AWS IAM Identity Center now enables the use of a single identity context to propagate the identity of users requesting access to AWS services, simplifying the experience of application developers.
Previously, application developers that wanted to enable their applications to use trusted identity propagation, had to call AWS services using two different IAM role sessions – one for services that can authorize access by user; and another for services that only log the user identity for audits. With this release, application developers can call any AWS service using a single IAM role session with sts:identity_context. When an application is configured in a trusted identity propagation use case, AWS services use the identity context to authorize user access. If an AWS service is not part of a trusted identity propagation use case, access to resources continues to be authorized by IAM roles. All AWS services using CloudTrail event version 1.09 and above log IAM Identity Center userId in their service logs and in the OnBehalfOf element of the Amazon CloudTrail logs.
IAM Identity Center enables you to connect your existing source of workforce identities to AWS once and access the personalized experiences offered by AWS applications, such as Amazon Q; define and audit user-aware access to data in AWS services, such as Amazon Redshift; and manage access to multiple AWS accounts from a central place. Learn more about IAM Identity Center identity-enhanced role sessions here. The feature is available at no additional cost in all AWS Regions with IAM Identity Center.