Control Tower and IAM User with Programmatic Access
I am working through a Control Tower workshop, and my understanding from the documentation is that IAM Identity Center (formerly AWS SSO) is where I go to create new users going forward with a Control Tower setup. However, for a scenario where I need to create a User with Programmatic Access (Access Key ID and Secret Access Key), I don't see that as an option in IAM Identity Center. Is the recommended approach to use IAM in that scenario and create the account there? If so, will that cause confusion down the road with some user accounts not being managed by IAM Identity Center and others in IAM?
- 최신
- 최다 투표
- 가장 많은 댓글
Hi, when using AWS Identity Center, programmatic access credentials become temporary. This fits more within the best practice recommendations of not having long life credentials. The AWS CLI can support integration with IAM Identity Center, https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html. A user would run the CLI login process. It will retrieve a temporary Access Key ID and Secret Access Key and use those for the session. The duration of the session can be configured within the Identity Center permission set. IAM based credentials can still be used, but the recommendation is they are limited to Service Access (as an example Automation tools or SaaS products that need access).
관련 콘텐츠
AWS 공식업데이트됨 일 년 전
Thanks Jimmy. My scenario is what you are referring to in the last sentence...I need an account for Service Access, so it sounds like IAM is still the goto for that scenario. I appreciate the additional context for the CLI login process with the temp keys.