By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to use IAM users, groups and roles with SSO

0

My organization has no AD nor any IdP that can be used to link AWS SSO to. I see that the SSO identity store has no cf/cli/api feature to manage users.

Is there a way to use IAM users, goups and roles in the root account to log into the other organization accounts?

If so, how to?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceAWS CloudFormationAWS IAM Identity Center
Language
English
AWS-User-2803420
asked 2 years ago419 views
1 Answer
2

You can log into the member accounts from the root account by Switch Role. Of course, you need to attach proper permission to the IAM users, goups and roles in the root account.

If Organizations not Control Tower, the role "OrganizationAccountAccessRole" in default is assigned to the member accounts. If Control Tower, "AWSControlTowerExecution" is assigned.

In this use case, the root account is often called as jump account. However, for example In production, It is better to use another account not the root account as jump account for separating permissions from the root account.

https://aws.amazon.com/premiumsupport/knowledge-center/organizations-member-account-access/

https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html

AWS
suzuki
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content