1 Answer
- Newest
- Most votes
- Most comments
3
Hey there,
Although the AWS IAM service and AWS IAM Identity Center service are both for Identity & Access Management, they are separate services. You won't find IAM users from any of your AWS accounts that are in your AWS Org, in the Identity Center admin portal.
A good way of thinking about it is like this:
- IAM users are per AWS account
- Identity Center users are not tied to a single AWS account, and they gain access to AWS accounts by federating to them (assuming an IAM role in the chosen AWS account). This is achieved through the assignment of a user/group in Identity Center, to a Permission Set, and an AWS account.
In order to create users for IAM Identity Center, follow the steps here.
There are many benefits to using IAM Identity Center to manage your IAM tasks, instead of AWS IAM. You can find a nice intro to the service, here, if you would like to go over said benefits.
answered 10 months ago
Relevant content
- asked 8 months ago
- asked a year ago
- asked 8 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Ahh OK, that makes sense. It's a minefield :)
"All" I want to do is allow a program running in one account to add a DNS record to another, but I found that root users can't assume roles, hence my attempt to create an IAM "user" that has the appropriate permission. So, from this information, I can safely ignore IIC unless I ever want to create role-based logins for humans.
The whole permissions architecture seems very flexible and capable but it's a steep learning curve - thanks for the advice, it helps me understand how it all works.
You should be able to use an IAM Role for your program, instead of going down the route of IAM Users and hard coding credentials. If your program is running off of an EC2 instance, for example, you can have instance profiles. If it's running on a Lambda function, the function can directly use an IAM Role. If you're running a program off of AWS but need AWS credentials, take a look at AWS IAM Roles Anywhere.