Blogmark

← Back to all blogmarks

IAM Identity Center SSO credentials vs. IAM user access keys

via jbranchaud@gmail.com

https://www.reddit.com/r/aws/comments/1abszvz/comment/kjufbl4/
AWS

I've been working with AWS and am noticing that the docs and AWS Console consistently recommend the use of short-term SSO-based credentials with IAM Identity Center user over long-term/permanent IAM user access keys.

I liked how the person in this reddit thread put it:

Typically, you would log in via your identity provider, which then generates short lived, role based credentials. This removes the need for IAM user access keys living permanently on your workstation.

Another person posts this comprehensive set of steps which closely mirrors what I had to do setting up IAM Identity Center access for a project:

Quick start:
1. Enable Organizations (even if you have 1 personal account)
2. Enable IAM Identity Center (its own service, confusingly not part of IAM). Note the URL listed under "AWS access portal URL", you'll need that in a minute.
3. Create a User for yourself in IAM Identity Center (this is different than IAM users)
4. Go back to Organizations. Select Accounts, your account, and add your new user to the account with the permissions you want.
5. Get a cup of coffee, AWS takes a hot minute to sync up what you just did.
6. Browse to the Start URL you copied in step 2. Make sure you can log in and that you see the Account and the Role you setup in step 4. While you're logged in, do yourself a favor and add MFA to your new user.
7. Go to your terminal and type: aws configure sso You'll be asked to name the SSO session name, call it whatever you'd like. Next it wants the "Start URL", this is the URL from step 2 above.
8. Point your profile at it: export AWS_PROFILE=my-new-sso-profile
9. Finally we get to actually log in: aws sso login This will open a browser window and log you in through the Console. Once complete your aws cli will be logged in with a temporary, role based session, no long lived credentials on your machine at all.

It's a long road to get here, but once you've got this setup it's a breeze to start your day with "aws sso login" and you've setup your account in a proper way that gives you a lot more options going forward. It's certainly more work than signing up for a TikTok account, but this is also a much more serious, professional product.