NashTech Insights

AWS Identity Center – SSO Solution

Trần Minh
Trần Minh
Table of Contents
AWS IAM Identity Center

To manage sign-in security for your workforce identities, you can use AWS IAM Identity Center. That provides one place to create or connect workforce users and centrally manage their access across all their AWS accounts and applications. Based on that, you can use multi-account permissions to assign your workforce users access to AWS accounts. Besides that, you can connect to your applications and use application assignments to assign your users access to the IAM Identity Center by enabling applications, cloud applications, and customer Security Assertion Markup Language (SAML 2.0).

Overview AWS IAM Identity Center

Enable IAM Identity Center

Log in to the AWS console, go to the IAM Identity Center, and switch to Asia Pacific (Sydney) to enable this service.

Switch to Sydney region to enable AWS Identity Center.

When you click the “Enable” button, the AWS Service will require AWS Organizations

Accept enable AWS Organization.

After enabling, you should follow the setup steps to configure your IAM Indentiy Center.

IAM Identity Center Dashboard

Go to Settings, go to the tab “Identity source,” and click “Action” -> “Change identity source.”

Update Identity source

After that, you can have three options for your Identity source.

  • Identity Center directory: You need to manage your workforce in the IAM Identity Center, and Users sign in through the AWS access portal.
  • Active Directory: If your organization already has accounts in Active Directory and you want to sync your account to the IAM Identity Center, this is the solution you need to choose.
  • External identity provider: You can manage your workforce in another Identity provider (IdP), and when you allow them to use your AWS resources, they will need to sign in to your IdP sign-in page, and the page will redirect them to the AWS access portal. After that, they can have tokens to access resources. Technically, this option uses SAML authentication.
Consider choosing correct Identity source.

In this blog, we will use the “Identity Center directory” for the demo.

Set up AWS Accounts for the AWS Organization

We can use the AWS Organizations service to manage your organization. In this service, we can add multiple AWS Accounts for many separate purposes (for example, Account, Finance, Development, Marketing, etc.)

One AWS Organization has one or many AWS Accounts

Create Permission Sets

We will need to create Permission Sets to assign to specific AWS Accounts. After that, we will assign these Permission Sets to specific AWS Accounts. One AWS Account can have 0 or many Permission Sets.

In the Permission sets, we can choose from “Predefined permission set” or “Custom permission set” as business needs.

One AWS Account can have 0 or many Permission Sets

Create Users and Groups

In the IAM Identity Center, we need to create Users and Groups. Besides that, we should assign the user to 0 or many groups. As a result, one user belongs to 0 or many Groups.

One User belongs to 0 or many Groups

Assign Groups to AWS Account

After creating Groups and Permission Sets, we can choose an AWS Account to assign a specific group to account. In the process, we will choose at least one Permission Set to assign to the Group. Finally, we will have groups with specific Permission Sets under the specific AWS Account. As a result, one AWS Account has 0 or many User Groups, and a User Group has one or many Permission Sets.

One AWS Account has 0 or many User Groups, User Group has one or many Permission Sets

Full Picture of IAM Identity Center

In conclusion, we have a complete picture of the AWS IAM Identity Center.

Full Picture of IAM Identity Center

Test your AWS IAM Identity Center

Follow Install or update the latest version of the AWS CLI – AWS Command Line Interface ( to set AWS CLI.

After that, run command to check AWS CLI

aws --verison

Now, we can set up an AWS profile to test your AWS IAM Identity Center.

aws configure sso

If your browser supports it, that process will open the link, or you should open it manually.

Input your user account. In this example, I will input “minh-nashtech-view-only.”

Click the “Allow” button.

Return to your console because this account has two groups, so we must choose which group to assign.

Choose “ViewOnlyAccess” and continue inputting information: client region, default output format, profile name, etc.

Run the command to check your profile.

aws s3 ls --profile view-only


Trần Minh

Trần Minh

I'm a solution architect at NashTech. I live and work with the quote, "Nothing is impossible; Just how to do that!". When facing problems, we can solve them by building them all from scratch or finding existing solutions and making them one. Technically, we don't have right or wrong in the choice. Instead, we choose which solutions or approaches based on input factors. Solving problems and finding reasonable solutions to reach business requirements is my favorite.

Leave a Comment

Your email address will not be published. Required fields are marked *

Suggested Article