Authenticate AWS Client VPN users with AWS IAM Identity Center that has an external identity store (Google Workspace)

0

Hi, our org is using AWS IAM Identity Center connected to Google Workspace to allow people to login to AWS with their google account. Accounts are properly synced and groups are used to provide access to the correct AWS accounts, etc. So far so good. Now we would like to allow accessing some of the internal network infrastructure by VPN. I hoped that we could just use the same SSO mechanism for that. I tried following along these blog posts:

https://aws.amazon.com/blogs/networking-and-content-delivery/using-aws-sso-with-aws-client-vpn-for-authentication-and-authorization/ https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/

But I can't get it to work. There is always a 403 when I try to access the self service portal when logged into my account. Looking at the federate request in cloudtrail just shows "Forbidden" but not any more useful info to help debug the issue.

Is there a specific step needed when working with an external identity store? Or does it not work at all?

1 Answer
1

Hi frederikP,

This kinds of troubleshooting is better served by AWS Support, which can help review your configurations to provide accurate advice. My suggestion would be to hire some level of support plan ( https://aws.amazon.com/premiumsupport/plans/ ) and create a technical support case with your troubleshooting queries.

Aside from that advice, I would suggest looking into AWS Verified Access ( https://aws.amazon.com/verified-access/ ) which is a simpler, zero-trust way to provide corporate employees access to internal resources, which I would say it's the best practice nowadays.

Hope this helps!

AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions