Amazon IAM Identity Center concepts
This topic describes the key concepts of Amazon IAM Identity Center (IAM Identity Center). IAM Identity Center is a cloud-based IAM service that simplifies user access management across multiple Amazon Web Services accounts, applications, SDKs, and tools by integrating with existing identity providers (IdP). It enables secure single sign-on, permission management, and auditing through a centralized user portal, streamlining identity and access governance for organizations.
What is IAM Identity Center
IAM Identity Center is a cloud-based identity and access management (IAM) service that enables you to centrally manage access to multiple Amazon Web Services accounts and business applications.
It provides a user portal where authorized users can access the Amazon Web Services accounts and applications they've been granted permission to, using their existing corporate credentials. This allows organizations to enforce consistent security policies and streamline user access management.
Regardless of which IdP you use, IAM Identity Center abstracts those distinctions away. For example,
you can connect Microsoft Azure AD as described in the blog article The Next
Evolution in IAM Identity Center
Note
For information on using bearer auth, which uses no account ID and role, see Setting up to use the Amazon CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide.
Terms
Common terms when using IAM Identity Center are as follows:
- Identity Provider (IdP)
-
An identity management system such as IAM Identity Center, Microsoft Azure AD, Okta, or your own corporate directory service.
- Amazon IAM Identity Center
-
IAM Identity Center is the Amazon owned IdP service. Formerly known as Amazon Single Sign-On, SDKs and tools keep the
sso
API namespaces for backward compatibility. For more information, see IAM Identity Center rename in the Amazon IAM Identity Center User Guide. - Amazon Web Services access portal
-
Your unique IAM Identity Center URL to access your authorized Amazon Web Services accounts, services, and resources.
- Federation
-
The process of establishing trust between IAM Identity Center and an identity provider to enable single sign-on (SSO).
- Amazon Web Services accounts
-
The Amazon Web Services accounts that you provide users access to through Amazon IAM Identity Center.
- Permission sets, Amazon credentials, credentials, sigv4 credentials
-
Predefined collections of permissions that can be assigned to users or groups to grant access to Amazon Web Services.
- Registration scopes, access scopes, scopes
-
Scopes are a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application is limited to the scopes granted. For information on scopes, see OAuth 2.0 Access scopes in the IAM Identity Center User Guide.
- Tokens, refresh token, access token
-
Tokens are temporary security credentials that are issued to you upon authentication. These tokens contain information about your identity and the permissions you've been granted.
When you access an Amazon resource or application through the IAM Identity Center portal, your token is presented to Amazon for authentication and authorization. This allows Amazon to verify your identity and ensure you have the necessary permissions to perform your requested actions.
The authentication token is cached to disk under the
~/.aws/sso/cache
directory with a JSON filename based on the session name. - Session
-
An IAM Identity Center session refers to the period of time that a user is authenticated and authorized to access Amazon resources or applications. When a user signs in to the IAM Identity Center portal, a session is established, and the user's token is valid for a specified duration. For more information on setting session durations, see Set session duration in the Amazon IAM Identity Center User Guide.
During the session, you can navigate between different Amazon accounts and applications without having to re-authenticate, as long as their session remains active. When the session expires, sign in again to renew your access.
IAM Identity Center sessions help to provide a seamless user experience while also enforcing security best practices by limiting the validity of user access credentials.
How IAM Identity Center works
IAM Identity Center integrates with your organization's identity provider, such as IAM Identity Center, Microsoft Azure AD, or Okta. Users authenticate against this identity provider, and IAM Identity Center then maps those identities to the appropriate permissions and access within your Amazon environment.
The following IAM Identity Center workflow assumes you have already configured your Amazon CLI to use IAM Identity Center:
-
In your preferred terminal, run the
aws sso login
command. -
Sign in to your Amazon Web Services access portal to start a new session.
-
When you start a new session, you receive a refresh token and access token that is cached.
-
If you already have an active session, the existing session is reused and expires when the existing session expires.
-
-
Based on the profile you've set up in your
config
file, IAM Identity Center assumes the appropriate permission sets, granting access to the relevant Amazon Web Services accounts and applications. -
The Amazon CLI, SDKs, and Tools use your assumed IAM role to make calls to Amazon Web Services such as creating Amazon S3 buckets until that session expires.
-
The access token from IAM Identity Center is checked hourly and is automatically refreshed using the refresh token.
-
If the access token is expired, the SDK or tool uses the refresh token to get a new access token. These tokens' session durations are then compared, and if the refresh token is not expired IAM Identity Center provides a new access token.
-
If the refresh token has expired, then no new access tokens are provided and your session has ended.
-
-
Sessions end after refresh tokens expire, or when you manually log out using the
aws sso logout
command. Cached credentials are removed. To continue accessing services using IAM Identity Center, you must start a new session using the theaws sso login
command.
Additional resources
Additional resources are as follows.
-
Configure the Amazon CLI with IAM Identity Center authentication
-
aws configure sso
in the Amazon CLI version 2 Reference -
aws configure sso-session
in the Amazon CLI version 2 Reference -
aws sso login
in the Amazon CLI version 2 Reference -
aws sso logout
in the Amazon CLI version 2 Reference -
Setting up to use the Amazon CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide
-
IAM Identity Center rename in the Amazon IAM Identity Center User Guide
-
OAuth 2.0 Access scopes in the IAM Identity Center User Guide
-
Set session duration in the Amazon IAM Identity Center User Guide
-
Getting started tutorials in the IAM Identity Center User Guide