AWS Service Catalog. Grant SSO Users to the Portfolio

Question

Hi There!  I have successfully created a Service Catalog with related Portfolio and Products when my users were IAM users.  I am have issues adding the SSO (sync'd with AD) users to the Portfolio though.  
When following this step: https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-deploy.html.  It's not clear how I can add an SSO group instead of an IAM group.  
ASK:  Is it possible to add an SSO user to the Service Catalog Portfolio?  If so how?  
Many thanks in advance!

Answer

AWS SSO users are added to accounts through the use of AWS IAM Roles. You won't see the SSO group name or user name appear inside of the account. If you want to add a group of SSO users to a Service Catalog portfolio, you want to look in the Roles tab for a role starting with `AWSReservedSSO` followed by the name of the SSO Permission Set that you created.

Once you add the role to the portfolio, any users federated through AWS SSO with that permission set will be able to use the portfolio. If you are trying to restrict it down to only a select group of users within a permission set, you would probably want to create an SSO permission set specific for that group of users and provision it to your account.

Answer

Hey there, I know its a 1-year-old post, but my views. It will work with assigning roles. Though, if you set an expiration time with your SSO role, you might need to update access every time a new session is created. Have you encountered this issue? I am still in the testing phase, though thats my hypothesis on the issue which might come.

AWS Service Catalog. Grant SSO Users to the Portfolio

Relevant content