Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Unable to enable IAM Identity Center
I opened an AWS account a few years ago and did nothing with it. I recently logged back in and am trying to setup best practices like having a root management account and then a separate admin account that handles admin tasks so that I can deploy a few apps that I've been working on. To do this I tried to create a new user and user group within the console to be an admin user. This is where my problems started.
I kept getting pop-ups saying that I should enable user creation via IAM Identity Center. Great let's enable that. Apparently I need to setup an organization. I created one and setup the original account I had to be the management account for the organization. I enabled the AWS IAM Identity Center and AWS Identity and Access management services for my organization. Great. Now when I go back IAM Identity Center and click on Confirm your IDentity Source, I get a snackbar that tells me to "Enable access to IAM Identity Center for member accounts in your organization. You can manage this access later using Service Control Policies in AWS Organizations." This seems a bit odd as I have already enabled the service, but regardless when I click the Enable access buton, I get an error "Sharing feature is not supported for an account level instance with id ssoins-<redacted>". What is going on here and how on earth do you actually enable IAM Identity Center? I've looked at other answers and the solution has been to enable the service, which I have absolutey done. Forgive me for the impatience, but I have spent hours on something that should frankly be a non-issue.
- Newest
- Most votes
- Most comments
I was experiencing the exact same issue as you today! Amazon account a few years old and I was applying all of the current recommended best practices. After fumbling around for a while I decided to just delete my IAM Identity Center instance to see if that would help.
Edited and clarified answer based on feedback from the original poster WJ, thank you!
Open IAM Identity Center console.
- In the left pane, choose Settings.
- choose the Management tab.
- In the Delete IAM Identity Center instance section, choose Delete. After that, navigate to the region that you want the IAM IDC instance to be based in in the management account, then go to the IAM IDC console, and enable it with AWS Organizations [2].
Then I went back to my organization and re-created/enabled the IAM Identity Center from there and it finally worked as documented!! Hopefully this is helpful, here's a few screenshots of how I re-enabled IAM Identity Center from the org level after I deleted it.
First I went to AWS Organizations > Services
Then I selected Access & Permissions under Integrated Services. Note: I forgot to get a screenshot before I enabled AWS IAM Identity Center. It will initially show as Not enabled
Select AWS IAM Identity Center and then Enable trusted access. You'll get a scary warning about enabling access, I just went ahead anyway. See this Stackoverflow post and screenshot I stole from the post:
Once I enabled access I got a message saying that access had been granted and gave me a link to navigate to AWS IAM Identity Center:
I finished configuring the basics in IAM Identity Center and didn't have any of the original errors anymore. I also noticed that the sidebar menu now had new options (multi-account permissions, etc) that were missing before:
Let me know if you are still having issues, I probably forgot and left out a step or two along the way.
Cheers!
Hello.
You don't need to enable IAM Identity Center just to sign in to your AWS account.
Simply create an IAM user in the relevant AWS account and set the IAM policies necessary for operation.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
If you have already enabled IAM Identity Center, the ID source will be IAM Identity Center by default, so you will be able to create a user.
I think there is a menu item called User on the left side of the iam identity center console screen, so you will need to create a user from there and link it to your AWS account.
https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html
So I'm in limbo right now. According to the Organizations page that I'm logged into, AWS IAM Identity Center is enabled. Great. According to the account that is the only child account under the organization, IAM Identity Center is not enabled. I can't use IAM Identity Center as a source for identity because as you can see in the second screenshot, there is nothing identifiable in it. I updated the question with screen shots showing what I'm seeing that makes no sense.
This doesn't work. The above errors are still occuring.
It appears you're encountering a complex issue with enabling IAM Identity Center in your AWS account. The problem likely stems from the fact that you created your account a few years ago and are now trying to set it up with current best practices.
The error message you're receiving, "Sharing feature is not supported for an account level instance with id ssoins-<redacted>", suggests that you may have an account-level instance of IAM Identity Center already set up in your account, possibly in a different region than the one you're currently working in.
IAM Identity Center is designed to work best with AWS Organizations, which you've correctly set up. However, the existing account-level instance is causing conflicts with the organization-wide setup you're trying to achieve.
To resolve this issue, you could try the following steps:
-
Check all AWS regions in your account to see if IAM Identity Center is already enabled in one of them. You can only have one instance of IAM Identity Center per AWS account.
-
If you find the region where it's enabled, try to work from that region instead. If you prefer to use a different region, you may need to disable the existing instance first.
-
If you can't find the existing instance or are unable to disable it, you may need to contact AWS Support for assistance in removing the account-level instance.
-
Once the account-level instance is removed or you've switched to the correct region, try enabling IAM Identity Center again through your organization's management account.
-
If you're still encountering issues, there's a possibility that your organization was created before September 14, 2023, and may require an administrator to opt-in for account instance creation from the IAM Identity Center console in the management account.
If these steps don't resolve the issue, you may need to reach out to AWS Support for further assistance, as they can provide more detailed, account-specific guidance.
Sources
Troubleshooting IAM Identity Center issues - AWS IAM Identity Center
I can't enable IAM Identity Center service | AWS re:Post
Cannot open IAM Identity Center / Region issue | AWS re:Post
This AI generated answer does not work as I am unable to located any other IAM instances running in other regions for my account. Everything is in US-East-1 so these steps do not apply.
Relevant content
- asked 2 years ago
I appreciate the time and effort you put into this answer, but I cannot accept it as following the steps above does not resolve the problem. Same errors, same pop-ups after disabling and renabling IAM Identity center. Thank you for the attempt though
I've troubleshot with AWS, and your answer actually does work with some clarification. I've accepted it. Thank you for your time and detailed response