How to enable AWS IAM Identity Center (SSO)
Topic: Accounts access
Summary
Enable AWS IAM Identity Center (SSO) in your organization so users sign in once and access assigned AWS accounts and applications. Configure the identity source, create permission sets, and assign users or groups to accounts. Use this for centralized access without creating IAM users per account.
Intent: How-to
Quick answer
- In the AWS Organizations management account, enable IAM Identity Center (formerly AWS SSO) and choose the identity source: Identity Center directory or connect an external IdP (e.g. Active Directory, Okta).
- Create permission sets (e.g. ReadOnly, AdministratorAccess or custom) and assign users or groups to AWS accounts via those permission sets; users sign in at the Identity Center portal and choose an account/role.
- Configure the AWS CLI to use SSO (aws configure sso) so users get short-lived credentials when they run CLI commands; no long-lived access keys for SSO access.
Prerequisites
Steps
-
Enable IAM Identity Center in the management account
Sign in to the AWS Organizations management account; go to IAM Identity Center (or AWS SSO) in the console and enable it; choose the identity source (Identity Center directory for built-in, or connect an external IdP in a later step).
-
Configure the identity source
If using the built-in directory, add users and groups in Identity Center; if using an external IdP, connect the IdP (SAML 2.0 or OIDC) and configure attribute mapping so user/group are passed to Identity Center for assignment.
-
Create permission sets and assign to accounts
Create permission sets (AWS managed or custom) that define the maximum permission for a session; assign users or groups to AWS accounts with a permission set so that when they sign in, they can choose that account and receive the corresponding role.
-
Enable CLI and verify access
Have users run aws configure sso and sign in via the browser; they can then use aws sts get-caller-identity and CLI commands with short-lived credentials. Verify portal sign-in and CLI work for a test user.
Summary
You will enable AWS IAM Identity Center (SSO) so users sign in once and access assigned AWS accounts and applications through permission sets. You configure the identity source (built-in directory or external IdP), create permission sets, assign users or groups to accounts, and optionally use the CLI with SSO. Use this to centralize access and avoid creating IAM users in every account.
Prerequisites
- AWS Organizations with a management account; you have root or admin access to the management account.
- Decision on identity source: IAM Identity Center built-in directory or an external IdP (e.g. Active Directory, Okta). For external IdP, see How to connect AWS to an external identity provider.
Steps
Step 1: Enable IAM Identity Center in the management account
- Sign in to the management account of AWS Organizations.
- Open IAM Identity Center (or AWS SSO) in the console. If you see Enable, click it. IAM Identity Center must be enabled in the organization’s management account.
- Choose the identity source: Identity Center directory (built-in users and groups) or External identity provider (connect later). You can switch later with some limitations. Click Next and complete enablement.
Step 2: Configure the identity source
- Identity Center directory: In Identity Center → Users and Groups, create users and groups. These will be used for assignments. Optionally configure MFA in Settings → Authentication.
- External IdP: In Settings → Identity source → Change, choose External identity provider. You will need the IdP’s metadata (SAML metadata URL or OIDC issuer) and attribute mapping; complete this in the next guide (Connect AWS to an external identity provider).
Step 3: Create permission sets and assign to accounts
- Permission sets: Identity Center → Permission sets → Create permission set. Choose Custom permission set or use an AWS managed policy (e.g. ReadOnlyAccess, AdministratorAccess). Name it (e.g.
ReadOnly,ProdAdmin) and attach the policies. Create. - Assignments: Identity Center → AWS accounts (or Multi-account permissions). Select one or more accounts, then Assign users or groups. Choose users or groups and the permission set; submit. Users will see these accounts and permission sets when they sign in to the portal.
Step 4: Enable CLI and verify access
- Portal: Give users the Identity Center portal URL (shown in Settings → Identity source or Dashboard). They sign in with their Identity Center or IdP credentials and choose an account and role (permission set). They get a temporary console session.
- CLI: Users run
aws configure sso, enter the start URL (portal URL), region, and optionally default account/role. They sign in in the browser and can then runaws sts get-caller-identityand other CLI commands with short-lived credentials. No long-lived access keys are stored for SSO.
Verify a test user can sign in to the portal, select an account and role, and use the CLI with aws configure sso.
Verification
- IAM Identity Center is enabled in the management account; identity source is set (directory or external IdP).
- At least one permission set exists and is assigned to at least one account for a user or group.
- Test user can sign in to the portal, choose account/role, and use the CLI with SSO; get-caller-identity shows the assumed role ARN.
Troubleshooting
Identity Center not available — It must be enabled in the management account of AWS Organizations. Ensure you are in the correct account and region (Identity Center is a global service but console is region-specific; use a supported region).
User does not see an account — Ensure the user (or a group they are in) is assigned to that account with a permission set. Check AWS accounts → Assignments for the account and the user/group.
CLI aws configure sso fails — Ensure the start URL is correct (no trailing slash issues) and the user has completed portal sign-in at least once. Clear cached credentials and retry; check that the SSO region matches.