Google as External Identity Source QnA

0

I'm implementing SSO for a client who uses Google Workspace. They are an existing AWS user with a single AWS account and 10 IAM users setup with non work email addresses. There are other non-human, cli and service IAM users setup for various programatic and automation functionality.

After applying the SSO integration with Google, please confirm.

  • Will all existing IAM users be able to continue login?
  • Will existing IAM key/secret combos work where automation, cli and scripts are setup?
  • IAM User bob@yahoo.com will still be able to login to the AWS console using his previous IAM credentials?
  • Will the root user, the user that setup SSO be locked out when SSO is enabled?

Obviously I will setup provisioning in google/aws so that the business work accounts get created in AWS and workers can begin using that, but i want to clarify what happens with the existing IAM user account after i click CONFIRM on the SSO setup, as i dont want to be locked out.

Thank you

enterx
已提问 1 年前251 查看次数
1 回答
1
已接受的回答
  1. IAM users will be unaffected by the change
  2. Existing long-term credentials (like access keys and secrets) will be unaffected by the change
  3. IAM users will be unaffected by the change
  4. The root user will not be locked out by setting up SSO

SSO functions in parallel with all the authentication examples you have given. You would likely want to remove the IAM users eventually, and force all humans to use SSO, so that their access is managed by your identity provider. You will still need some long-term credentials for your programmatic access (and somewhat ironically, IAM users are sometimes the best way to provide that to your automated processes).

profile picture
rowanu
已回答 1 年前
  • Thanks you, that's very helpful.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则