Loading

    IAM Identity Center

    Adam ElmoreAdam Elmore

    Set Up IAM Identity Center

    With multiple AWS accounts, managing access can be tricky. IAM Identity Center makes it easier to log in to the console and access your accounts from your development machine. It's also a more secure approach than using long-lived IAM user access keys.

    Enable IAM Identity Center

    In the AWS Management Console, search for "IAM Identity Center" and click "Enable" to set it up.

    Create a User

    Once enabled, create a new user by clicking "Add user" under the "Users" section. Use your email address as the username and have AWS send you a one-time password setup email.

    After accepting the invitation and setting a new password, you'll be prompted to set up multi-factor authentication (MFA). Use an authenticator app or a security key.

    Create a Permission Set

    Next, create a permission set, which defines the permissions a user has in an AWS account. For this example, create an "Administrator Access" permission set with a 12-hour session duration.

    Assign User Access

    Assign your user the "Administrator Access" permission set for each of your three AWS accounts (management, development, and production).

    1. Go to "AWS accounts" and select your management account.
    2. Under "Assign users or groups," select your user and the "Administrator Access" permission set.
    3. Repeat for the development and production accounts.

    After assigning access, refresh the page, and you'll see all three accounts listed with the "Administrator Access" permission set.

    Customize the Access Portal URL

    To make the IAM Identity Center URL more friendly, go to the dashboard and edit the "Access Portal URL" under "Settings Summary." Choose a unique subdomain (e.g., adam.dev).

    Now, you can access the IAM Identity Center portal at adam.dev.awsapps.com.start.

    Access AWS Accounts

    From the IAM Identity Center portal, you can click on the "Administrator Access" link for each account to open the AWS Management Console in a new tab. This will log you out of any previous console sessions using the root credentials.

    With IAM Identity Center set up, you no longer need to use the root credentials. You can access all your AWS accounts securely through the custom portal URL.

    Transcript

    All right, we've got our AWS organization set up. We've got our three AWS accounts, one for production, one for development, and then the management account. You should still be logged into the console in your management account. We don't need to do anything with the other two accounts just yet. First, we need to set up access.

    So when you have multiple AWS accounts it can be tricky to manage access into those accounts. IAM Identity Center makes this a lot easier so it makes it easier to log in both to the console with multiple accounts but also to get access from your development machine into your multiple AWS accounts. So we're going to set all that up by setting up IAM Identity Center. This is also just a much more secure approach. If you have any past history with AWS, maybe you've built on AWS before, The old way was to create IAM users.

    So you create an IAM user, and then you create an access key into your account. And that access key lives in a text file on your development machine. That poses all kinds of security problems. I mean, if somebody gets ahold of your laptop, that's one thing, that's tough. And they've got access now to your AWS account.

    You can kill the access key, but what if you leak the access key and you don't realize it? Maybe you push it to a GitHub repo. You had it in an in file and you thought it was safe. And now it's in a public GitHub repo and the public is mining cryptocurrency in your account. That stuff happens and it's because the IAM user credentials, that access key that you created, is long-lived.

    It's permanent. Unless you know that it was compromised and you go into the console and delete it, anybody could pick up those keys and have access in your AWS account with the role or the permissions that that key was created with. So that's not good. We don't want that. With IAM Identity Center, it only vins short-term credentials.

    So they're credentials that expire after a given amount of time, and then they require that you log back in and basically create new credentials. That's all automated in the CLI. We don't have to worry about that being an annoying process. But it's much more secure. So there's no keys that live on your development machine.

    OK, so let's get started. In order to set up IAM Identity Center, we're going to just search for it in the search bar. And this is similar to organizations, not a lot to it. We're just going to click Enable. OK, so now with IAM Identity Center enabled, we need to configure a few things here to give ourselves access into our three AWS accounts.

    So the first thing we're gonna do is we're gonna create a user. You can see over here on the left we've got users. We're gonna add user and for the username I just like to use my email address. So I'm just going to say me at adam.dev. And you can generate a one-time password or send an email to the user with password setup instructions.

    I'm just going to use the default there, send an email. I'm going to put my email address in, my name. And I'm just gonna leave all of this off. You can use this as sort of like a directory for all your users and store a bunch of related metadata. I'm not gonna mess with that right now.

    We're keeping it pretty simple. So I'm gonna click next. I'm not going to create any groups. This is as you would expect the way groups work. You can create groups, assign users to groups, and then assign permissions at the group level so you don't have to do it for every individual user.

    If you've got a larger organization or even a startup with multiple developers, you'd probably want to have a developer group and give them similar permissions. Okay. We're going to review and click add user. And at this point, it's sending me an email with those credentials. I'm going to grab those real quick, and then we'll be right back.

    Alright, so I accepted the invitation that came to my email, and at this point it's going to ask me to add a new password, which I'm going to do. Okay, and after setting the password, it's going to make you log in. Okay, at this point, the organization by default requires multi-factor. So we're going to set up multi-factor. You can use an authenticator app or if you've got a security key, which is what I'm going to use, go ahead and set that up now.

    And that's it. It's going to take me to the AWS access portal. You can see the URL here is kind of wonky. We're going to change that in a second. That'd be tough to remember.

    You could just bookmark it. But you'll also see we just don't have anything here to do. So we haven't assigned this user any access into any of the three AWS accounts. So there's not really anything to see at this point, we're going to go back to Identity Center. And at this point, we've got our user, we're going to create a permission set.

    So you basically assign permission sets to users for a given AWS account, you think of the permission set like a role. It's the types of permissions that the user has in the AWS account. So we've got to create one of those first. And there's some good defaults that we can just use here. So predefined permission set, we're just going to create an administrator access.

    Now, this obviously varies based on your situation. If you're building AWS applications for a startup or an organization where there's lots of developers involved, you're not just going to give everybody administrator access into all of your accounts. For this case, where it's, I'm just assuming an individual you're learning on AWS, it's fine to give yourself administrator access, we're going to need it to do a lot of the things we're going to do. But there are some other presets here you can look at. Okay, I'm going to leave a permission set name just as administrator access.

    I'm going to update the session duration to 12 hours, which is the maximum. It's just, it's very convenient to not have to re-login every hour. And then I'll click Next. And Review and Create. Okay, so we've created Administrator Access Permission Set.

    At this point now, we need to assign our user that we just created access into our accounts here with the administrator access permission set. So I'm gonna start with development. Actually, we'll start with the management account. And you might think like you already have access into the management account, but that's what the root user, That's what we're logged into right now in this console session. We really don't want to use these credentials ever again.

    They're not needed. Once we've given this new IAM Identity Center user access into the management account, we can start just logging into the AWS console through Identity Center and not use the root credentials. They're overly powerful and it's kind of dangerous to use those on a daily basis. So we're gonna assign users or groups after we've checked management account. And we don't have any groups, we just have the one user.

    So I'm assigning my user permissions. And in this, this is where we choose our permission set the administrator access permission for the development, or I'm sorry for the management account. And we're going to submit that. And now if I just refresh this page... Yeah, we can see now we've got access into the management account.

    We can click on the role, And this will allow us to log into the console directly from this portal. Or you can click on Access Keys, and it'll give you short-term session credentials that you could paste into your terminal. We're not going to go that route. We're going to actually configure the CLI in a later lesson. But that's how you could get access into the console.

    OK, so now we need to do the same thing for development and production. Again, you probably wouldn't give just anybody administrator access into your production account. But for this simplified example, it's going to be it's going to be fine. We're going to need administrator access for now. So we're just going to I selected both of them.

    I've selected both AWS accounts, I'm going to choose my user again, click Next, give it administrator access and submit. And at this point, if we refresh the portal, we should have access into all three accounts. So you can see how this is way more convenient. If you're logging into these different AWS accounts into the console, This is a better way to manage it. If you were to assign multiple permission sets to your user, maybe you assigned administrator access, you wanted to also assign a read-only access, a safer view into the console.

    You'd see those listed under each account. So here we have administrator access, you'd also see any additional permission sets that you assign to your user. So now we have access from the console into all three of these. One last thing I wanna do here, we just wanna make this URL a little more friendly. You can change this prefix, this subdomain.

    You can customize it. It's got to be a unique. It's globally unique. So it's sort of like claiming a domain name. You've got to choose something that hasn't been taken yet.

    So we're going to go back to the dashboard. And here on setting Summary, yeah, Access Portal URL, we're going to edit that. And this is where we choose a unique subdomain. So I'm going to choose atom.dev, assuming that's available. And it is.

    So now we can click that link. It may just take a second. I think it's just still propagating. DNS though, am I right? Let's refresh that again.

    There we go. So now I can go to adam.dev.awsapps.com.start and that's going to take me in to, I've got to log in first, but that's going to take me back into that same portal where I have access into my accounts. I'm going to use my MFA. Okay, so now you should have a custom URL here. It's a little easier to remember and we've got access to all three of our accounts, in this case with administrator access.

    So I'll just show you how it looks. If I want to log into the development account, we haven't done anything with this account yet. I'm just going to click administrator access. It's going to open up the console in a separate tab. And you'll notice at this point, this first tab where we were working in the management account with our root credentials, it's now logged out because we've actually logged into the development account using IAM Identity Center.

    This console session is dead now. And really at this point, we're done. We don't need to worry about using those root credentials again. So I can just close this tab, and we're all set moving forward with IAM Identity Center. So this will be the URL that you hit the most.

    That's your IAM Identity Center portal. And from there, you'll jump into the console by clicking these links.