- Newest
- Most votes
- Most comments
What you have done following the blog you referenced, is an integration between Google and an individual account (management account).
To achieve federated SSO towards all your accounts of an organization, integrate google with Identity Center instead. Follow this user guide and use this blog as a reference.
Note that, from AWS perspective, you can keep both integrations at the same time, which means your users would be able to authenticate through either ways. If we add existing user definitions in IAM, as you asked in your previous question , there will be 3 ways for user to authenticate, if you choose to keep all of them.
If you intend to setup automatic provisioning (part of the procedure described in the AWS user doc) not just authentication, you have to use the 'built-in' (cataloged) app in Google "Amazon Web Services" (suggested in the procedure described in the AWS user doc). And Google only allows you to have one instance of it. (at least this was true a few months ago, not sure if they have made any changes). So if you have 'already used it' for your previous integration, you have to delete it so that you can use it for the new integration. Otherwise if you don't need auto provisioning, you can also create a Custom SAML app without using that "Amazon Web Services" app.
Another note is. Google SCIM/auto-provisioning integration does not support group (only users), you have to address it separately.
Hi Gagan,
Looking at the blog and seeing that you can access your Management account through Google Workspaces shows that you have successfully setup "AWS Single-Account Access" with AWS IAM. This is good, however if you have an AWS Organization setup it is recommended to setup ** AWS IAM Identity Center** instead of AWS IAM. This will allow you to federate access to other accounts with your Organization through permission sets.
The documentation has a step by step guide on completing this for AWS IAM Identity Center and Google Workspaces. The guide also includes automatic provisioning to synchronise identities between Google Workspaces and AWS IAM Identity Center.
After you have setup it up successfully the guide also outlines steps of assigning a permission set to an account. You can carry out the same steps for other accounts and users to grant access to member accounts of an Organization.
I hope this provided some clarity.
Relevant content
- asked 2 years ago
- asked 3 years ago
- asked 3 years ago
AWS OFFICIALUpdated 2 years ago
Thanks!, it works for me.
Hi, I have multiple groups in Google Workspace, and I only want members of a specific group to have access to AWS. However, this is not working as expected; it only works for individual users. According to a blog, it was suggested to create a group in the Identity Center and add users to this group, but I prefer managing users directly through the Google Workspace group. Is there a way to achieve this? Any blog references on this topic would be greatly appreciated. Thanks!
Hi Gagan, good to see that you have it working. Unfortunately with Google Workspace groups and AWS Identity Center syncing cannot be done on the group level automatically unlike with some other IdPs like EntraID and Okta. There is a work around you can try built by AWS called SSOSync, I don't have first hand knowledge of trying this but judging from the link in the documentation and recent commits it looks to be active and working.
Try (in google) assigning only a particular group to the AWS 'application'. That should achieve your requirement of "only want members of a specific group to have access to AWS". But groups and group assignments won't be synced to AWS. You still need to manage it separately. (if you need grouping on AWS side at all!)
Adding on top of Gary's comments on ssosync: if you decide to use ssosync to sync (which is capable of doing both users and groups), turn off auto provisioning by SCIM in google. Not recommended to keep both ssosync and SCIM auto provisioning on, to avoid conflicts.