What is IAM Identity Center Terms How IAM Identity Center works Additional resources

Amazon IAM Identity Center concepts

This topic describes the key concepts of Amazon IAM Identity Center (IAM Identity Center). IAM Identity Center is a cloud-based IAM service that simplifies user access management across multiple Amazon Web Services accounts, applications, SDKs, and tools by integrating with existing identity providers (IdP). It enables secure single sign-on, permission management, and auditing through a centralized user portal, streamlining identity and access governance for organizations.

What is IAM Identity Center

IAM Identity Center is a cloud-based identity and access management (IAM) service that enables you to centrally manage access to multiple Amazon Web Services accounts and business applications.

It provides a user portal where authorized users can access the Amazon Web Services accounts and applications they've been granted permission to, using their existing corporate credentials. This allows organizations to enforce consistent security policies and streamline user access management.

Regardless of which IdP you use, IAM Identity Center abstracts those distinctions away. For example, you can connect Microsoft Azure AD as described in the blog article The Next Evolution in IAM Identity Center.

Note

For information on using bearer auth, which uses no account ID and role, see Setting up to use the Amazon CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide.

Terms

Common terms when using IAM Identity Center are as follows:

Identity Provider (IdP)

An identity management system such as IAM Identity Center, Microsoft Azure AD, Okta, or your own corporate directory service.

Amazon IAM Identity Center

IAM Identity Center is the Amazon owned IdP service. Formerly known as Amazon Single Sign-On, SDKs and tools keep the sso API namespaces for backward compatibility. For more information, see IAM Identity Center rename in the Amazon IAM Identity Center User Guide.

Amazon Web Services access portal

Your unique IAM Identity Center URL to access your authorized Amazon Web Services accounts, services, and resources.

Federation

The process of establishing trust between IAM Identity Center and an identity provider to enable single sign-on (SSO).

Amazon Web Services accounts

The Amazon Web Services accounts that you provide users access to through Amazon IAM Identity Center.

Permission sets, Amazon credentials, credentials, sigv4 credentials

Predefined collections of permissions that can be assigned to users or groups to grant access to Amazon Web Services.

Registration scopes, access scopes, scopes

Scopes are a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application is limited to the scopes granted. For information on scopes, see OAuth 2.0 Access scopes in the IAM Identity Center User Guide.

Tokens, refresh token, access token

Tokens are temporary security credentials that are issued to you upon authentication. These tokens contain information about your identity and the permissions you've been granted.

When you access an Amazon resource or application through the IAM Identity Center portal, your token is presented to Amazon for authentication and authorization. This allows Amazon to verify your identity and ensure you have the necessary permissions to perform your requested actions.

The authentication token is cached to disk under the ~/.aws/sso/cache directory with a JSON filename based on the session name.

Session

An IAM Identity Center session refers to the period of time that a user is authenticated and authorized to access Amazon resources or applications. When a user signs in to the IAM Identity Center portal, a session is established, and the user's token is valid for a specified duration. For more information on setting session durations, see Set session duration in the Amazon IAM Identity Center User Guide.

During the session, you can navigate between different Amazon accounts and applications without having to re-authenticate, as long as their session remains active. When the session expires, sign in again to renew your access.

IAM Identity Center sessions help to provide a seamless user experience while also enforcing security best practices by limiting the validity of user access credentials.

How IAM Identity Center works

IAM Identity Center integrates with your organization's identity provider, such as IAM Identity Center, Microsoft Azure AD, or Okta. Users authenticate against this identity provider, and IAM Identity Center then maps those identities to the appropriate permissions and access within your Amazon environment.

The following IAM Identity Center workflow assumes you have already configured your Amazon CLI to use IAM Identity Center:

In your preferred terminal, run the aws sso login command.
Sign in to your Amazon Web Services access portal to start a new session.
- When you start a new session, you receive a refresh token and access token that is cached.
- If you already have an active session, the existing session is reused and expires when the existing session expires.
Based on the profile you've set up in your config file, IAM Identity Center assumes the appropriate permission sets, granting access to the relevant Amazon Web Services accounts and applications.
The Amazon CLI, SDKs, and Tools use your assumed IAM role to make calls to Amazon Web Services such as creating Amazon S3 buckets until that session expires.
The access token from IAM Identity Center is checked hourly and is automatically refreshed using the refresh token.
- If the access token is expired, the SDK or tool uses the refresh token to get a new access token. These tokens' session durations are then compared, and if the refresh token is not expired IAM Identity Center provides a new access token.
- If the refresh token has expired, then no new access tokens are provided and your session has ended.
Sessions end after refresh tokens expire, or when you manually log out using the aws sso logout command. Cached credentials are removed. To continue accessing services using IAM Identity Center, you must start a new session using the the aws sso login command.

Additional resources

Additional resources are as follows.

Configure the Amazon CLI with IAM Identity Center authentication
Tutorial: Use IAM Identity Center to run Amazon S3 commands
Install or update to the latest version of the Amazon CLI
Configuration and credential file settings
aws configure sso in the Amazon CLI version 2 Reference
aws configure sso-session in the Amazon CLI version 2 Reference
aws sso login in the Amazon CLI version 2 Reference
aws sso logout in the Amazon CLI version 2 Reference
Setting up to use the Amazon CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide
IAM Identity Center rename in the Amazon IAM Identity Center User Guide
OAuth 2.0 Access scopes in the IAM Identity Center User Guide
Set session duration in the Amazon IAM Identity Center User Guide
Getting started tutorials in the IAM Identity Center User Guide

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

IAM Identity Center authentication

Tutorial: Amazon IAM Identity Center and Amazon S3