Federated Identity: Accessing AWS accounts using AWS SSO

iam aws


In this post, I’ll briefly describe the steps required to add an user to the AWS SSO store and and using it to access an AWS account managed with AWS Organizations.

Before continuing, here are some excellent resources covering this topic in detail

As I appreciate seeing things in action, I’ve decided to go ahead and do a small experiment, with the goal of logging into an AWS account via AWS SSO using a newly provisioned user.

Enable SSO

After enabling AWS SSO, I received a confirmation message, and customized the User portal URL

Portal URL (can be found on the Dashboard page)

Check SSO Settings

This wasn’t a mandatory step, however I found it useful to understand the configuration. AWS SSO will be handling all aspects, which include managing identities and authenticaton.

Create an user

Added an user in the AWS SSO store.

Create a group

Create a permission set

Next I created a permission set using the predefined ViewOnlyAccesss policy.

To keep it simple, I went with the Use an existing job function policy

Assign the permission set to an AWS account

Next, I picked an AWS account (managed by AWS Organizations), clicked Assign users

selected the newly created ReadOnly group

and the newly created permission set.

The account is now configured.

Add the user to the group

Went to the ReadOnly group

and added a new user

Accessing AWS with the newly created user

Login using the user portal

Next, I went to the user portal URL, and logged in using the newly created user.

Select an account

After login, the account I’ve configured was visible.

There are 2 options for accessing the account: via the management console or CLI.

AWS Console

After clicking the Management console option, the AWS Management Console loaded successfully.


When choosing the CLI option you are given 2 possibilities, one of which is executing 3 export statements in your console.

export AWS_ACCESS_KEY_ID="<removed-value>"
export AWS_SECRET_ACCESS_KEY="<removed-value>"
export AWS_SESSION_TOKEN="<removed-value>"

After running the export statements, I checked the details of the calling entity:

aws sts get-caller-identity

In the output I got the following ARN, confirming I have logged in with the new user

 "Arn": "arn:aws:sts::<account>:assumed-role/AWSReservedSSO_ViewOnlyAccess_c53c4075fe5d0fb2/notsure"