Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How to change delegated administrator for Identity Center in LZA?
Hi all
I'm deploying the Landing Zone Accelerator on AWS (LZA) https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/. I could see it delegated administrator for IAM Identity Center to Audit account. I'd love to change it to other account such as custom Identity account. Can I change it manually? Or is there any other way to use config file?
Thanks.
- Language
- English
- Newest
- Most votes
- Most comments
You should be able to achieve this by using delegatedAdminAccount https://awslabs.github.io/landing-zone-accelerator-on-aws/latest/typedocs/v1.6.0/classes/_aws_accelerator_config.IdentityCenterConfig.html#delegatedAdminAccount
Set the following in iam-config.yaml:
.
.
.
identityCenter:
name: my-organisation
delegatedAdminAccount: LZA-Delegate-Account
.
.
.
Where the account is defined in accounts-config.yaml:
workloadAccounts:
.
.
.
- email: lza-delegate-email@mycompany.com
name: LZA-Delegate-Account
organizationalUnit: ...
.
.
.
You can change the delegated administrator to another account, but there may be limitations when that administrator account makes API calls to resources that live in the Management account, as I understand it this will be addressed in an upcoming release as well. This documentation may be helpful: https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html Hope this helps!
Relevant content
- asked 10 months ago
- asked 2 years ago
- asked 2 years ago
- asked 10 months ago
