Delegate access across AWS accounts using IAM roles

0

I am working through this tutorial Delegate access across AWS accounts using IAM roles

The purpose of this tutorial is to demonstrate that users from the Developer account can use role to access the productionapp bucket in the Production account.

In the tutorial, two user groups Testers and Developers are created with one user in each. At first I thought these are the user groups in Identity Center but later realised they are actually IAM User Group. Refer to the tutorial:

To modify the testers user group to deny permission to assume the UpdateApp role

  1. According to the best practice should we not always use Identity Center to create Users/Groups?
  2. Can we actually achieve this tutorial with users created in Identity Center? That is allow users to switch role without using IAM users.
profile picture
Lottie
質問済み 4ヶ月前163ビュー
1回答
1
承認された回答

The documentation page you link to talks about delegating access from a role in one account to a role in another account. This is pretty much what you want to do.

How those roles are assumed in the first account is more or less irrelevant. The example in the documentation talks to creating static users that have the role assigned to them - that's one way (which happens to work for smaller environments). But you're absolutely correct: we recommend using Identity Center - because when users authenticate via Identity Center they are assigned to specific roles. And those roles can be used as per the example in the documentation.

profile pictureAWS
エキスパート
回答済み 4ヶ月前
profile picture
エキスパート
レビュー済み 2ヶ月前
  • Do we not use permission set to control access for Identity Center users? Is there really a way to assign role an Identity Center user? What do you mean by static users and that is one way?

  • "Static users" are users created in IAM - you have said you don't want to do that (which is a good thing!).

  • Thanks Brettski-AWS. Found this post that explains switching role for Identity Center user: https://repost.aws/questions/QUSm-PF3zxSf6Rsj-8W75XGA/role-switch-iam-identity-center-user. Permission set defined in Identity Center looks after role assignment.

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ