Quick start: Setting up IAM Identity Center to test Amazon managed applications - Amazon IAM Identity Center
Prerequisites Set up an organization instance to test Amazon managed applications Set up an account instance to test Amazon managed applications
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Quick start: Setting up IAM Identity Center to test Amazon managed applications

If your administrator hasn’t already provided you with access to IAM Identity Center, you can use the steps in this topic to set up IAM Identity Center to test Amazon managed applications. You'll learn how to enable IAM Identity Center, create a user directly in IAM Identity Center, and assign that user to an Amazon managed application.

This topic provides quick-start steps on how to enable IAM Identity Center in either of the following ways:

  • With Amazon Organizations – If you choose this option, an organization instance of IAM Identity Center is created.

  • Only in your specific Amazon Web Services account – If you choose this option, an account instance of IAM Identity Center is created.

For information about these instance types, see Organization and account instances of IAM Identity Center.

Prerequisites

Before you enable IAM Identity Center, confirm the following:

  • You have an Amazon Web Services account – If you don't, see Getting started with an Amazon Web Services account in the Amazon Account Management Reference Guide.

  • The Amazon managed application works with IAM Identity Center – Review the list of Amazon managed applications that you can use with IAM Identity Center to confirm that the Amazon managed application you want to test works with IAM Identity Center.

  • You’ve reviewed Regional considerations – Make sure that the Amazon managed application you want to test is supported in the Amazon Web Services Region where you enable IAM Identity Center. For more information, see the documentation for the Amazon managed application.

    Note

    You must deploy your Amazon managed application in the same Region where you plan to enable IAM Identity Center.

Setting up an organization instance of IAM Identity Center to test Amazon managed applications

Note

This topic describes how to enable IAM Identity Center with Amazon Organizations, which is the recommended way to enable IAM Identity Center.

Confirm your permissions

To enable IAM Identity Center with Amazon Organizations, you must sign in to the Amazon Management Console as either of the following:

  • A user with administrative permissions in the Amazon Web Services account where IAM Identity Center will be enabled with Amazon Organizations.

  • The root user (not recommended unless no other administrative users exist).

    Important

    The root user has access to all Amazon services and resources in the account. As a security best practice, unless you have no other credentials, do not use your account's root credentials to access Amazon resources. These credentials provide unrestricted account access and are difficult to revoke.

Step 1. Enable IAM Identity Center with Amazon Organizations

  1. Do one of the following to sign in to the Amazon Web Services Management Console.

    • New to Amazon (root user) – Sign in as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    • Already using Amazon with a standalone Amazon Web Services account (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

  2. On the Amazon Management Console Home page, select the IAM Identity Center service or navigate to the IAM Identity Center console.

  3. Choose Enable, and enable IAM Identity Center with Amazon Organizations. When you do this, you’re creating an organization instance of IAM Identity Center.

Step 2. Create an administrative user in IAM Identity Center

This procedure describes how to create a user directly in the built-in Identity Center directory. This directory isn't connected to any other directory that your administrator might use to manage workforce users. After you create the user in IAM Identity Center, you'll specify new credentials for this user. When you sign in as this user to test your Amazon managed application, you'll sign in with the new credentials, not with any existing credentials that you use to access corporate resources.

Note

We recommend that you use this method for creating users for testing purposes only.

  1. In the navigation pane of the IAM Identity Center console, choose Users, and then choose Add user.

  2. Follow the guidance in the console to add the user. Keep Send an email to this user with password setup instructions selected and make sure that you specify an email address to which you have access.

  3. In the navigation pane, choose Amazon Web Services accounts, select the check box next to your account, and choose Assign users or groups.

  4. Choose the Users tab, select the check box next to the user that you just added, and choose Next.

  5. Choose Create permission set, and follow the guidance in the console to create the AdministratorAccess predefined permission set.

  6. When you’re done, the new permission set appears in the list. Close the Permission sets tab in your browser window, return to the Assign users and groups tab, and choose the refresh icon next to Create permission set.

  7. On the Assign users and groups browser tab, the new permission set appears in the list. Select the check box next to the name of the permission set, choose Next, and then choose Submit.

  8. Sign out of the console.

Step 3. Sign in to the Amazon Web Services access portal as an administrative user

The Amazon Web Services access portal is a web portal that provides the user that you created with access to the Amazon Management console. Before you can sign in to the Amazon Web Services access portal, you must accept the invitation to join IAM Identity Center and activate your user credentials.

  1. Check your email for the subject line Invitation to join Amazon IAM Identity Center.

  2. Choose Accept invitation, and follow the guidance on the sign-up page to set a new password, sign in, and register an MFA device for your user.

  3. After you register your MFA device, the Amazon Web Services access portal opens.

  4. In the Amazon Web Services access portal, select your Amazon Web Services account and choose AdministratorAccess. You are redirected to the Amazon Management Console.

Step 4. Configure the Amazon managed application to use IAM Identity Center

  1. While you are signed in to the Amazon Management Console, open the console for the Amazon managed application that you plan to use.

  2. Follow the guidance in the console to configure the Amazon managed application to use IAM Identity Center. During this process, you can assign the user that you created to the application.

Setting up an account instance of IAM Identity Center to test Amazon managed applications

Note

An account instance of IAM Identity Center limits your deployment to a single Amazon Web Services account. You must enable this instance in the same Amazon Web Services Region as the Amazon application you want to test.

Confirm your app

All Amazon managed applications that work with IAM Identity Center can be used with organization instances of IAM Identity Center. However, only some of these applications can be used with account instances of IAM Identity Center. Review the list of Amazon managed applications that you can use with IAM Identity Center.

Step1. Enable an account instance of IAM Identity Center

  1. Do one of the following to sign in to the Amazon Web Services Management Console.

    • New to Amazon (root user) – Sign in as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    • Already using Amazon with a standalone Amazon Web Services account (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

  2. On the Amazon Management Console Home page, select the IAM Identity Center service or navigate to the IAM Identity Center console.

  3. Choose Enable.

  4. On the Enable IAM Identity Center with Amazon Organizations page, choose enable an account instance of IAM Identity Center.

  5. On the Enable account instance of IAM Identity Center page, review the information and optionally add tags that you want to associate with this account instance. Then choose Enable.

Step 2. Create a user in IAM Identity Center

This procedure describes how to create a user directly in the built-in Identity Center directory. This directory isn't connected to any other directory that your administrator might use to manage workforce users. After you create the user in IAM Identity Center, you'll specify new credentials for this user. When you sign in as this user to test your Amazon managed application, you'll sign in with the new credentials. The new credentials won't allow you to access other corporate resources.

Note

We recommend that you use this method for creating users for testing purposes only.

  1. In the navigation pane of the IAM Identity Center console, choose Users, and then choose Add user.

  2. Follow the guidance in the console to add the user. Keep Send an email to this user with password setup instructions selected and make sure that you specify an email address to which you have access.

  3. Sign out of the console.

Step 3. Sign in to the Amazon Web Services access portal as your IAM Identity Center user

The Amazon Web Services access portal is a web portal that provides the user that you created with access to the Amazon Management console. Before you can sign in to the Amazon Web Services access portal, you must accept the invitation to join IAM Identity Center and activate your user credentials.

  1. Check your email for the subject line Invitation to join Amazon IAM Identity Center.

  2. Choose Accept invitation, and follow the guidance on the sign-up page to set a new password, sign in, and register an MFA device for your user.

  3. After you register your MFA device, the Amazon Web Services access portal opens. When applications are available to you, you’ll find them under the Applications tab.

    Note

    Amazon applications that support account instances allow users to sign in to applications without requiring additional permissions. Therefore, the Accounts tab will remain empty.

Step 4. Configure the Amazon managed application to use IAM Identity Center

  1. While you are signed in to the Amazon Management Console, open the console for the Amazon managed application that you plan to use.

  2. Follow the guidance in the console to configure the Amazon managed application to use IAM Identity Center. During this process, you can assign the user that you created to the application.