By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Automatic onboarding for new Identity Center users?

0

Context: I am using Account Factory through Control Tower to create accounts. I am doing this dynamically through Terraform.

Problem: Users that are created through the Account Factory (Service Catalog Provisioned Product) receive an automatic invitation to the IAM Identity Center with the link to the SSO portal. Users that I assign access to certain sandbox accounts, but which don't have their own sandboxes, don't receive an invitation unless the 'Send email verification link' is clicked for the specific user in the IAM Identity Center, and then the assigned user can click 'Forgot Password' to make a new password for themselves once the email is verified.

Goal: Users that are created through IAM Identity Center and not with the Account Factory, but are given access to a sandbox account through an account assignment in IAM Identity Center, should also receive an invitation to the SSO portal.

For reference, an excerpt from a JSON file looks like this:

{
                "AccountName": "SandboxOne",
                "SSOUserEmail": "sandbox1@sandbox.com",
                "SSOUserFirstName": "Sandbox",
                "SSOUserLastName": "One",
                "AccountEmail": "sandbox1@sandbox.com",
                "ManagedOrganizationalUnit": "Year 1",
                "Budget": 100,
                "Users": [
                    {
                        "Email": "sandbox1-existinguser@sandbox.com",
                        "FirstName": "John",
                        "LastName": "Doe"
                    },
                    {
                        "Email": "sandbox2-newuser@sandbox.com",
                        "FirstName": "Jane",
                        "LastName": "Doe"
                    }
                ]
            },

To take this example: The SSOUserEmail will receive an invitation to join the IAM Identity Center portal. The other emails under 'Users' will not. For the first user in 'Users', if they already have a different sandbox for themselves, they will see the second (new) sandbox pop up in their SSO portal as a sign-in option. This is fine. However, the email for the second user which does not have their own sandbox, but is granted access to a different sandbox not under their own name, will not receive any notifications or email when their user is created unless prompted manually through management.

How can I onboard users to IAM Identity Center without manually sending verification emails?

Any help is appreciated, thank you.

Topics
Security, Identity, & ComplianceManagement & GovernanceApplication Integration
Tags
AWS Identity and Access ManagementAWS Control TowerAmazon Simple Notification Service (SNS)AWS Service CatalogTerraform
Language
English
Lesras
asked a year ago573 views
1 Answer
1

Sending an invitation email when creating an AWS Identity Center user through the API is currently not supported. Terraform uses the Identity Store API so is similarly restricted. There is a GitHub issue [1] tracking this on the the terraform-aws-provider repository. As a partial workaround, it is possible to configure AWS Identity Center to allow a user created through the API to automatically receive a verification email the first time they try to sign in [2]. This prevents the need to take action manually in the console, but does not automatically send a notification email when the user is created.

If you have AWS Premium support, you can submit a feature request for this via a support case. If you have an AWS account manager, you can also reach out to them.

[1] https://github.com/hashicorp/terraform-provider-aws/issues/28102

[2] https://docs.aws.amazon.com/singlesignon/latest/userguide/userswithoutpwd.html

profile pictureAWS
Sean Nixon
answered a year ago
  • Lesras
    a year ago

    Thank you for your helpful answer!

  • Sean Nixon
    a year ago

    Happy to help! If you feel I answered your question sufficiently, please take the time to accept my answer to mark the question as answered.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content