Can I keep existing IAM users and add SSO to our accounts
Hi,
We currently have several accounts all using IAM - users, roles policies. We would like to improve how we manage our users by using SSO with our active directory account so that we have a centralised location for our users.
We also have users that are for external service providers (people) and applications that are not in our active directory.
Are we able to use the SSO for our users and then manage our other users in IAM or is having both SSO users and IAM users incompatible?
What happens to our existing IAM users if we active the SSO?
Kind Regards
David
SSO and IAM users can coexist. Nothing happens to your existing IAM users, groups, roles or policies when you provision SSO into your accounts.
SSO appears as a new identity provider in your IAM config and manages its own roles (permission sets) alongside your normal IAM roles. Users coming in via SSO roles can also assume other IAM roles (with the right permissions), though watch out for condition strings in policies as things like MFA constraints don't work for SSO users.
Overall AWS SSO is a benefit, but be prepared for a small learning curve and extra work on the governance side as AWS SSO is less mature than IAM and seems to be taking a while to catch up.
Relevant questions
Reuse or link IAM users and groups from Management Account to a new AWS account / OU
Accepted Answerasked 5 months agoHow to use EKS with AWS SSO
asked 9 months agoDoes Amazon QuickSight have a user limit?
Accepted Answerasked 2 years agoIAM users/roles/groups policies reports
Accepted Answerasked 5 months agoEKS Fargate: restrict access to service to only certain pods
asked 2 months agoCan I keep existing IAM users and add SSO to our accounts
asked 2 years agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked 17 days agoSet the access permission of objects in S3 buckets
asked 2 months agoAWS SSO and multiple regions
asked 2 months agoPublic IPs - List all in Organization
asked 2 years ago