Google as External Identity Source QnA


I'm implementing SSO for a client who uses Google Workspace. They are an existing AWS user with a single AWS account and 10 IAM users setup with non work email addresses. There are other non-human, cli and service IAM users setup for various programatic and automation functionality.

After applying the SSO integration with Google, please confirm.

  • Will all existing IAM users be able to continue login?
  • Will existing IAM key/secret combos work where automation, cli and scripts are setup?
  • IAM User will still be able to login to the AWS console using his previous IAM credentials?
  • Will the root user, the user that setup SSO be locked out when SSO is enabled?

Obviously I will setup provisioning in google/aws so that the business work accounts get created in AWS and workers can begin using that, but i want to clarify what happens with the existing IAM user account after i click CONFIRM on the SSO setup, as i dont want to be locked out.

Thank you

asked a year ago270 views
1 Answer
Accepted Answer
  1. IAM users will be unaffected by the change
  2. Existing long-term credentials (like access keys and secrets) will be unaffected by the change
  3. IAM users will be unaffected by the change
  4. The root user will not be locked out by setting up SSO

SSO functions in parallel with all the authentication examples you have given. You would likely want to remove the IAM users eventually, and force all humans to use SSO, so that their access is managed by your identity provider. You will still need some long-term credentials for your programmatic access (and somewhat ironically, IAM users are sometimes the best way to provide that to your automated processes).

profile picture
answered a year ago
  • Thanks you, that's very helpful.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions