Authenticate AWS Client VPN users with AWS IAM Identity Center that has an external identity store (Google Workspace)

Question

Hi,
our org is using AWS IAM Identity Center connected to Google Workspace to allow people to login to AWS with their google account. Accounts are properly synced and groups are used to provide access to the correct AWS accounts, etc.
So far so good.
Now we would like to allow accessing some of the internal network infrastructure by VPN. I hoped that we could just use the same SSO mechanism for that. I tried following along these blog posts:

https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-sso-with-aws-client-vpn-for-authentication-and-authorization/
https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/

But I can't get it to work. There is always a 403 when I try to access the self service portal when logged into my account. Looking at the federate request in cloudtrail just shows "Forbidden" but not any more useful info to help debug the issue.

Is there a specific step needed when working with an external identity store? Or does it not work at all?

Answer

Hi frederikP,

This kinds of troubleshooting is better served by AWS Support, which can help review your configurations to provide accurate advice. My suggestion would be to hire some level of support plan ( https://aws.amazon.com/premiumsupport/plans/ ) and create a technical support case with your troubleshooting queries.

Aside from that advice, I would suggest looking into AWS Verified Access ( https://aws.amazon.com/verified-access/ ) which is a simpler, zero-trust way to provide corporate employees access to internal resources, which I would say it's the best practice nowadays.

Hope this helps!

Authenticate AWS Client VPN users with AWS IAM Identity Center that has an external identity store (Google Workspace)

Relevant content