By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can't see IAM users in IAM Identity Center

0

I have an AWS Organization with multiple Accounts, and would like to create IAM users in each Account. In the first Account I've created an IAM user group and an IAM user assigned to the group. I can log in to the console using the Account ID/Username/Password.

I then logged in as the Organization admin and enabled "IAM Identity Center". In the IIC, I created a Permission set, then chose "AWS accounts". The tree view list of my organization displays and I select the checkbox next to the AWS account to which I want to assign access and click the “Assign users or groups” button.

No users or groups appear ... where have I gone wrong?

Thanks for any help!

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Account Management
Language
English
dmb0058
asked 6 months ago787 views
1 Answer
1
Accepted Answer

Hey there,

Although the AWS IAM service and AWS IAM Identity Center service are both for Identity & Access Management, they are separate services. You won't find IAM users from any of your AWS accounts that are in your AWS Org, in the Identity Center admin portal.

A good way of thinking about it is like this:

  • IAM users are per AWS account
  • Identity Center users are not tied to a single AWS account, and they gain access to AWS accounts by federating to them (assuming an IAM role in the chosen AWS account). This is achieved through the assignment of a user/group in Identity Center, to a Permission Set, and an AWS account.

In order to create users for IAM Identity Center, follow the steps here.

There are many benefits to using IAM Identity Center to manage your IAM tasks, instead of AWS IAM. You can find a nice intro to the service, here, if you would like to go over said benefits.

profile pictureAWS
Ciaran Carragher
answered 6 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 6 months ago
  • dmb0058
    6 months ago

    Ahh OK, that makes sense. It's a minefield :)

    "All" I want to do is allow a program running in one account to add a DNS record to another, but I found that root users can't assume roles, hence my attempt to create an IAM "user" that has the appropriate permission. So, from this information, I can safely ignore IIC unless I ever want to create role-based logins for humans.

    The whole permissions architecture seems very flexible and capable but it's a steep learning curve - thanks for the advice, it helps me understand how it all works.

  • Ciaran Carragher
    6 months ago

    You should be able to use an IAM Role for your program, instead of going down the route of IAM Users and hard coding credentials. If your program is running off of an EC2 instance, for example, you can have instance profiles. If it's running on a Lambda function, the function can directly use an IAM Role. If you're running a program off of AWS but need AWS credentials, take a look at AWS IAM Roles Anywhere.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content