- Newest
- Most votes
- Most comments
Have you set up and AWS organisation yet?
Identity centre is best used when you have an org and multiple workload accounts contained in the org. The first account in the org is the management account and should be as empty as possible with workload resources in their own account.
Identity centre should be enabled in the management account with delegated administrator to a sub account for management.
The issue around the access to Identity Center is the policy needs to be setup for the member account. Even though the user is login as root, the member account of the root needs to be delegated with access to Organisations. If the user is login using root of a management account, then the user is able to enable and access to Identity Center without needing to be delegated which involves setting up/applying policy to the account.
To elaborate the answer provided by Gary above, I found an article of (how to delegate administrator for AWS organisations) [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html]. The first example in the article provides the policy to allow the member account the access to IAM Identity Center.
The structure of your organisation should be like this:
Root
Management Account (created by default during account setup)
AdminstratorTeam (Organisation Unit)
=> Projects (a member account of AdministratorTeam)
=> Projects/PowerAccount (A Group created using Identity Center)
=> Projects/PowerAccount/Nikki (A user within PowerAccount group)
TechnicalSupport (Organisation Unit)
AWS recommends not login using a member/management account as root. AWS recommends to login as an user under a non-management Account, because SCP does not apply to Management account and users added to the Management account are not affected by the SCP.
I created an Organisation Unit (OU) call AdminstratorTeam and added a member account as Projects (using the management account). Then I added a Group (within Identity Center) to the Projects member account. The Power Account Group contain a user Nikki.
You can use (Create an Administrative User in IAM Identity Center)[https://docs.aws.amazon.com/SetUp/latest/UserGuide/setup-createadminperms.html] to setup user Nikki and the Group. On the Permission Set, I added AdministratorAccess.
Then use the above (how to delegate administrator for AWS organisations) [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_delegate_policies.html]. to setup the policy for the Projects member account. Replace the principal accountid with the account id for Projects.
"Principal": { "AWS": "arn:aws:iam::AccountId:root" },
Note that, in the policy, the root after the accountid can not be replaced with user or group like with IAM arn:(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html) With Identity Center, you can only assign the policy to member account.
Now, try to login as Nikki. You should be able to access IAM Identity Center.
Relevant content
- Accepted Answerasked a year ago
- asked 4 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Can I setup an administrative account without enabling Identity Center? I have attached some screen shots on my post.