Control Tower and IAM User with Programmatic Access
I am working through a Control Tower workshop, and my understanding from the documentation is that IAM Identity Center (formerly AWS SSO) is where I go to create new users going forward with a Control Tower setup. However, for a scenario where I need to create a User with Programmatic Access (Access Key ID and Secret Access Key), I don't see that as an option in IAM Identity Center. Is the recommended approach to use IAM in that scenario and create the account there? If so, will that cause confusion down the road with some user accounts not being managed by IAM Identity Center and others in IAM?
- Newest
- Most votes
- Most comments
Hi, when using AWS Identity Center, programmatic access credentials become temporary. This fits more within the best practice recommendations of not having long life credentials. The AWS CLI can support integration with IAM Identity Center, https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html. A user would run the CLI login process. It will retrieve a temporary Access Key ID and Secret Access Key and use those for the session. The duration of the session can be configured within the Identity Center permission set. IAM based credentials can still be used, but the recommendation is they are limited to Service Access (as an example Automation tools or SaaS products that need access).
Relevant content
- Accepted Answerasked 9 months ago
- asked 7 months ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
Thanks Jimmy. My scenario is what you are referring to in the last sentence...I need an account for Service Access, so it sounds like IAM is still the goto for that scenario. I appreciate the additional context for the CLI login process with the temp keys.