By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Does using the IAM Identity Center affect my IAM identities or federation configuration?

3 minute read
0

I want to use the AWS IAM Identity Center (successor to AWS Single Sign-On) to provide access for users to our AWS accounts and applications. I want to know if using the IAM Identity Center affects my AWS Identity and Access Management (IAM) identities (users, groups, and roles).

Short description

You can use the IAM Identity Center or IAM to federate your workforce into AWS accounts and applications.

IAM federation allows you to activate a separate SAML 2.0 or an OIDC IdP for each AWS account and user attributes for access control. You can use identity providers instead of creating IAM users in your AWS account. For more information, see Identity providers and federation.

IAM Identity Center uses IAM service-linked roles. You don't have to manually add permissions with service-linked roles. For more information, see Using service-linked roles for IAM Identity Center.

Resolution

The IAM Identity Center is independent of identity federation configured using IAM. Using the IAM Identity Center doesn't impact IAM identities or your federation configuration.

The IAM Identity Center uses the service-linked role AWSServiceRoleForSSO to grant permissions to manage AWS resources. The AWSServiceRoleForSSO role created in AWS accounts only trusts the IAM Identity Center service that's similar to the following IAM trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service":"sso.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The IAM roles created by the service-linked role AWSServiceRoleForSSO have an IAM trust policy that's similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::AWS-account-ID:saml-provider/AWSSSO_ec48a2d3f5dc369d_DO_NOT_DELETE"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Note: This IAM policy only trusts the SAML provider created automatically by the IAM Identity Center.

With IAM federation, you must manually create IAM roles in your AWS accounts using a trust policy that's similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/MYIDP"},
    "Action": "sts:AssumeRoleWithSAML",
    "Condition": {"StringEquals": {
      "saml:edupersonorgdn": "ExampleOrg",
      "saml:aud": "https://signin.aws.amazon.com/saml"
    }}
  }]
}

Note: Only IAM entities in your organization with this policy attached are able to access your AWS accounts.

To configure the IAM identity Center, see How do I use the IAM Identity Center and the AWS access portal?

Related information

How to create and manage users within AWS IAM Identity Center

How do I assign user access to cloud applications in the IAM Identity Center?

How do I use IAM Identity Center permission sets?

Identity federation in AWS

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
No comments

Relevant content