How to use IAM users, groups and roles with SSO
My organization has no AD nor any IdP that can be used to link AWS SSO to. I see that the SSO identity store has no cf/cli/api feature to manage users.
Is there a way to use IAM users, goups and roles in the root account to log into the other organization accounts?
If so, how to?
You can log into the member accounts from the root account by Switch Role. Of course, you need to attach proper permission to the IAM users, goups and roles in the root account.
If Organizations not Control Tower, the role "OrganizationAccountAccessRole" in default is assigned to the member accounts. If Control Tower, "AWSControlTowerExecution" is assigned.
In this use case, the root account is often called as jump account. However, for example In production, It is better to use another account not the root account as jump account for separating permissions from the root account.
https://aws.amazon.com/premiumsupport/knowledge-center/organizations-member-account-access/
https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html
Relevant questions
Manage identities in AWS SSO - how to create Users via CLI or API ?
asked 7 months agoELI5: AWS CLI and SSO
asked 7 months agoAWS SSO user with AdministratorAccess cannot access root owned resources
asked 4 months agoHow to use EKS with AWS SSO
asked 10 months agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked 2 months agoAWS SSO - Manage Users
Accepted Answerasked a month agoHow to use IAM users, groups and roles with SSO
asked a month agoAWS SSO and multiple regions
asked 4 months agoProblem with SSO
asked 2 months agoS3 + SSO permission to list a predefined list of buckets.
asked 6 days ago