Federated Identity: Accessing AWS accounts using AWS SSO
Before continuing, here are some excellent resources covering this topic in detail
- How to create and manage users within AWS Single Sign-On
- Using AWS SSO with Okta, Active Directory, and AWS SSO Identities
As I appreciate seeing things in action, I’ve decided to go ahead and do a small experiment, with the goal of logging into an AWS account via AWS SSO using a newly provisioned user.
After enabling AWS SSO, I received a confirmation message, and customized the
User portal URL
Portal URL (can be found on the Dashboard page)
Check SSO Settings
Create an user
Added an user in the AWS SSO store.
Create a group
Create a permission set
Next I created a permission set using the predefined
To keep it simple, I went with the
Use an existing job function policy
Assign the permission set to an AWS account
Next, I picked an AWS account (managed by AWS Organizations), clicked
selected the newly created
and the newly created permission set.
The account is now configured.
Add the user to the group
Went to the
and added a new user
Accessing AWS with the newly created user
Login using the user portal
Next, I went to the user portal URL, and logged in using the newly created user.
Select an account
After login, the account I’ve configured was visible.
There are 2 options for accessing the account: via the management console or CLI.
After clicking the
Management console option, the AWS Management Console loaded successfully.
When choosing the CLI option you are given 2 possibilities, one of which is executing 3
export statements in your console.
export AWS_ACCESS_KEY_ID="<removed-value>" export AWS_SECRET_ACCESS_KEY="<removed-value>" export AWS_SESSION_TOKEN="<removed-value>"
After running the
export statements, I checked the details of the calling entity:
aws sts get-caller-identity
In the output I got the following ARN, confirming I have logged in with the new user