Allowing users to rotate their own IAM access key in a different environment using their AWS SSO account


Providing a bit of an explanation to my question:

I currently use IAM Identity Center for AWS SSO. We allow restricted access to several users via this method to access the AWS Console in our various environments (production, development, usertest, etc.). We also provide IAM Programmatic accounts for CLI access to various users with less restrictive permissions.

We are attempting to find a better solution to allow users to rotate their own IAM access key in a different environment (i.e production, dev), while using the AWS Console, which is given to via AWS SSO. We have found a way to do this, which is creating a separate AWS SSO permission set for each individual user that restricts them access to only their Indvidual IAM access ID. This method is very hard to manage and is time consuming. Is there a way to accomplish this task without needing to create the multiple permission sets? Any guidance is appreciated.

Thank you.

1 Answer

Identity centre natively/dynamically provides program keys to users who’ve logged in via sso. Use these keys and not IAM keys. That way you do not need to manage IAM users or keys.

There isn’t really a reason to have separate access for console or cli.

profile picture
answered 3 months ago
profile picture
reviewed 3 months ago
  • Thank you for the reply, Gary. I would like to understand your comment of not needing to have separate access for console or cli. My organization uses console access (via SSO) for read only access to the environments, and uses separate CLI access (via IAM programmatic) to provide admin access to the users that need it. We also use the 2nd method because the developers need an access / secret key when interacting with an AWS resource, like code commit. If I am understanding your comment correctly, could we use those program keys in replace of an access key / secret key?

    Thank you for your time.

  • Exactly! IAM Identity Center (SSO) does not only provide access to the console, but can also be used to generate temporary credentials for use in the CLI (for example). In both cases, the credentials used to authenticate in an account are temporary, meaning that you don't need static / long-term access keys anymore.

    You can find more information about how to use IAM Identity center in the documentation, at Configure the AWS CLI to use AWS IAM Identity Center. To quickly test the functionality, you can also generate temporary credentials from the browser, if you choose "Command line or programmatic access" instead of "Access Management console" on the accounts list, you'll be presented with temporary credentials which you can use in the command line.

    Also note that using this type of access and static IAM access keys don't influence each other, meaning that you can test the new approach without impact, leaving the existing solution in-place until you feel comfortable with the new solution.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions