Assign Amazon Web Services account access for an IAM Identity Center user - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Assign Amazon Web Services account access for an IAM Identity Center user

To set up Amazon Web Services account access for an IAM Identity Center user, you must assign the user to the Amazon Web Services account and permission set.

  1. Do either of the following to sign in to the Amazon Web Services Management Console.

    • New to Amazon (root user) – Sign in as the account owner by choosing Root user and entering your Amazon Web Services account email address. On the next page, enter your password.

    • Already using Amazon (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

  2. Open the IAM Identity Center console.

  3. In the navigation pane, under Multi-account permissions, choose Amazon Web Services accounts.

  4. On the Amazon Web Services accounts page, a tree view list of your organization displays. Select the checkbox next to the Amazon Web Services account to which you want to assign access. If you are setting up administrative access for IAM Identity Center, select the checkbox next to the management account .

  5. Choose Assign users or groups.

  6. For Step 1: Select users and groups, on the Assign users and groups to "Amazon Web Services account name" page, do the following:

    1. On the Users tab, select the user to whom you want to grant administrative permissions.

      To filter the results, start typing the name of the user that you want in the search box.

    2. After you confirm that the correct user is selected, choose Next.

  7. For Step 2: Select permission sets, on the Assign permission sets to "Amazon Web Services account name" page, under Permission sets, select a permission set to define the level of access that users and groups have to this Amazon Web Services account.

  8. Choose Next.

  9. For Step 3: Review and Submit, on the Review and submit assignments to "Amazon Web Services account name" page, do the following:

    1. Review the selected user and permission set.

    2. After you confirm that the correct user is assigned to the permission set, choose Submit.

      Important

      The user assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.

  10. If either of the following applies, follow the steps in Prompt users for MFA to enable MFA for IAM Identity Center:

    • You're using the default Identity Center directory as your identity source.

    • You're using an Amazon Managed Microsoft AD directory or a self-managed directory in Active Directory as your identity source and you're not using RADIUS MFA with Amazon Directory Service.

    Note

    If you're using an external identity provider, note that the external IdP, not IAM Identity Center, manages MFA settings. MFA in IAM Identity Center is not supported for use by external IdPs.

When you set up account access for the administrative user, IAM Identity Center creates a corresponding IAM role. This role, which is controlled by IAM Identity Center, is created in the relevant Amazon Web Services account, and the policies specified in the permission set are attached to the role.