Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How does IAM Identity Center affect my IAM identities or federation configuration?

2 minute read
0

I want to use AWS IAM Identity Center to provide access for users to our AWS accounts and applications. I want to know if IAM Identity Center affects my AWS Identity and Access Management (IAM) identities.

Short description

You can use IAM Identity Center or IAM to federate your workforce into AWS accounts and applications.

IAM federation allows you to activate a separate SAML 2.0 or an OIDC IdP for each AWS account. You can use identity providers instead of IAM users in your AWS account. For more information, see Identity providers and federation.

IAM Identity Center uses IAM service-linked roles. You don't have to manually add permissions with service-linked roles. For more information, see Using service-linked roles for IAM Identity Center.

Resolution

IAM Identity Center is independent of identity federation that you configure with IAM. IAM Identity Center doesn't impact IAM identities or your federation configuration.

IAM Identity Center uses the service-linked role AWSServiceRoleForSSO to grant permissions to manage AWS resources. The AWSServiceRoleForSSO role that AWS creates in AWS accounts only trusts the IAM Identity Center service with an IAM trust policy similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "sso.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The IAM roles that the service-linked role AWSServiceRoleForSSO creates have an IAM trust policy similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::444455556666:saml-provider/AWSSSO_ec48a2d3f5dc369d_DO_NOT_DELETE"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Note: This IAM policy only trusts the SAML provider that IAM Identity Center creates automatically.

With IAM federation, you must manually create IAM roles in your AWS accounts with a trust policy similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::444455556666:saml-provider/ExampleIdP"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "saml:edupersonorgdn": "ExampleOrg",
          "saml:aud": "signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

Note: Only IAM entities in your organization with this policy attached can access your AWS accounts.

Related information

How to create and manage users within AWS IAM Identity Center

How do I assign user access to cloud applications in the IAM Identity Center?

How do I use IAM Identity Center permission sets?

Identity federation in AWS

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
AWS OFFICIALUpdated 2 months ago
No comments

Relevant content