- Newest
- Most votes
- Most comments
When using AWS Identity Center (IC), IAM users are no longer even involved. IAM users are completely separate from IC users. If you want to only have IC configured one time in OrgA, you can have new assumable roles in every account across OrgB and OrgC. However, if you have configured IC for each org, I would do that. Then the users are managed via your external Identity Provider and you can more easily manage granular permissions across accounts in each org instead of deploying unique assumable roles across your other accounts. You can deploy IC in parallel to your IAM user configuration and have no impact, use both solutions together until you have configured IC how you need, and then recommend termination IAM users for Console Access and only use them when absolutely necessary for programmatic access.
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 21 days ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
I'm looking for like a single IC to manage all the users from a single Org instead of having to manage the users in nth Orgs which will be difficult to keep track of.
Right now, Identity Center has not been configured for any organisations, the iam users are using assume roles. AD users have same username as IAM users.
Is it possible to do the management of users from within a single Identity Center while integrated with the AD; without having to replicate the IAM users accross organisations ?
As I stated, you could create a single IC configuration in OrgA. Then using permission sets in an account and role trust polices, you could, in fact, manage access to other accounts from a single IC but it will not give you the direct result you are looking for. There is no other way to use IC to access multiple Orgs. Again, IAM users are not in the equation when using IC.
When using AD and IC, your IDP & and SCIM configuration will replicate the same users to all orgs. It just boils down to the proper configuration. This setup would be significantly more scalable, secure, and simplified than using individual IAM users in each org and account(s). N number of IC configurations is way better than N x Accounts X Users.
I have another question what about the IAM users security credentials - will the IC users be able to use them (after being mapped to their respective IAM users) :- Access keys, MFA, SSH public keys for AWS CodeCommit, HTTPS Git credentials for AWS CodeCommit, etc.
No, there are no IAM credentials or access keys for IC users. They will not be able to be used by IC users. Access Keys would be the remaining use case for IAM users. Temporary session credentials are provided to IC users to allow cli access. IC users can assume roles in the account but not IAM users. CodeCommit and everything else listed will still by used and the use case for IAM users. While using IC greatly reduces the need for IAM users and helps with centralized management, IC is used for Console Access primarily with the ability to have temp creds for CLI. IAM use case is for these others requirements but with IC, you should be able to completely remove console access for IAM users.