Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Identity providers and federation

If you already manage user identities outside of Amazon, you can use identity providers instead of creating IAM users in your Amazon Web Services account. With an identity provider (IdP), you can manage your user identities outside of Amazon and give these external user identities permissions to use Amazon resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to Amazon resources.

An external IdP provides identity information to Amazon using either OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). OIDC connects applications, like GitHub Actions, that do not run on Amazon to Amazon resources. Examples of well-known SAML identity providers are Shibboleth and Active Directory Federation Services.

When you use an identity provider, you don't have to create custom sign-in code or manage your own user identities. The IdP provides that for you. Your external users sign in through an IdP, and you can give those external identities permissions to use Amazon resources in your account. Identity providers help keep your Amazon Web Services account secure because you don't have to distribute or embed long-term security credentials, such as access keys, in your application.

This guide covers IAM federation. Your use case might be better supported by IAM Identity Center or Amazon Cognito. The following summaries and table provide an overview of the methods that your users can employ to gain federated access to Amazon resources.

Federation with IAM Identity Center

For centralized access management of human users, we recommend that you use IAM Identity Center to manage access to your accounts and permissions within those accounts. Users in IAM Identity Center are granted short-term credentials to your Amazon resources. You can use Active Directory, an external identity provider (IdP), or an IAM Identity Center directory as the identity source for users and groups to assign access to your Amazon resources.

IAM Identity Center supports identity federation with SAML (Security Assertion Markup Language) 2.0 to provide federated single sign-on access for users who are authorized to use applications within the Amazon access portal. Users can then single sign-on into services that support SAML, including the Amazon Web Services Management Console and third-party applications, such as Microsoft 365, SAP Concur, and Salesforce.

Federation with IAM

While we strongly recommend managing human users in IAM Identity Center, you can enable federated user access with IAM for human users in short-term, small scale deployments. IAM allows you to use separate SAML 2.0 and Open ID Connect (OIDC) IdPs and use federated user attributes for access control. With IAM, you can pass user attributes, such as cost center, title, or locale, from your IdPs to Amazon, and implement fine-grained access permissions based on these attributes.

A workload is a collection of resources and code that delivers business value, such as an application or backend process. Your workload can require an IAM identity to make requests to Amazon services, applications, operational tools, and components. These identities include machines running in your Amazon environments, such as Amazon EC2 instances or Amazon Lambda functions.

You can also manage machine identities for external parties who need access. To give access to machine identities, you can use IAM roles. IAM roles have specific permissions and provide a way to access Amazon by relying on temporary security credentials with a role session. Additionally, you might have machines outside of Amazon that need access to your Amazon environments. For machines that run outside of Amazon you can use IAM Roles Anywhere. For more information about roles, see IAM roles. For details about how to use roles to delegate access across Amazon Web Services accounts, see IAM tutorial: Delegate access across Amazon accounts using IAM roles.

To link an IdP directly to IAM, you create an identity provider entity to establish a trust relationship between your Amazon Web Services account and the IdP. IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). For more information about using one of these IdPs with Amazon, see the following sections:

Federation with Amazon Cognito identity pools

Amazon Cognito is designed for developers who want to authenticate and authorize users in their mobile and web apps. Amazon Cognito user pools add sign-in and sign-up features to your app, and identity pools deliver IAM credentials that grant your users access to protected resources that you manage in Amazon. Identity pools acquire credentials for temporary sessions through the AssumeRoleWithWebIdentity API operation.

Amazon Cognito works with external identity providers that support SAML and OpenID Connect, and with social identity providers like Facebook, Google, and Amazon. Your app can sign in a user with a user pool or an external IdP, then retrieve resources on their behalf with customized temporary sessions in an IAM role.