Set relay state
By default, when a user signs into the Amazon Web Services access portal, chooses an account, and
then chooses the role that Amazon creates from the assigned permission set, IAM Identity Center
redirects the user’s browser to the Amazon Web Services Management Console. You can change this behavior by
setting the relay state to a different console URL. Setting the relay state
enables you to provide the user with quick access to the console that is most
appropriate for their role. For example, you can set the relay state to the
Amazon EC2 console URL (https://console.aws.amazon.com/ec2/
)
to redirect the user to that console when they choose the Amazon EC2 administrator
role. During the redirection to the default URL or relay state URL, IAM Identity Center routes
the user’s browser to the console endpoint in the last Amazon Web Services Region used by the
user. For example, if a user ended their last console session in the
Europe (Stockholm) Region (eu-north-1), the user is redirected to the Amazon EC2 console in
that Region.
To configure IAM Identity Center to redirect the user to a console in a specific
Amazon Web Services Region, include the Region specification as part of the URL. For example,
to redirect the user to the Amazon EC2 console in the US East (Ohio) Region
(us-west-2), specify the URL for the Amazon EC2 console in that Region
(https://us-east-2.console.aws.amazon.com/ec2/
).
If you enabled IAM Identity Center in the US West (Oregon) Region (us-west-2) Region and you want to
direct the user to that Region, specify
https://us-west-2.console.aws.amazon.com
.
Use the following procedure to configure the relay state URL for a permission set.
To configure the relay state
-
Open the IAM Identity Center console
. -
Under Multi-account permissions, choose Permission sets.
-
Choose the name of the permission set for which you want to set the new relay state URL.
-
On the details page for the permission set, to the right of the General settings section heading, choose Edit.
-
On the Edit general permission set settings page, under Relay state, type a console URL for any of the Amazon services. For example:
https://console.aws.amazon.com/ec2/
Note
The relay state URL must be within the Amazon Web Services Management Console.
-
If the permission set is provisioned in any Amazon Web Services accounts, the names of the accounts appear under Amazon Web Services accounts to reprovision automatically. After the relay state URL for the permission set is updated, all Amazon Web Services accounts that use the permission set are reprovisioned. This means that the new value for this setting is applied to all Amazon Web Services accounts that use the permission set.
-
Choose Save changes.
-
At the top of the Amazon Organization page, a notification appears.
-
If the permission set is provisioned in one or more Amazon Web Services accounts, the notification confirms that the Amazon Web Services accounts were reprovisioned successfully, and the updated permission set was applied to the accounts.
-
If the permission set isn't provisioned in an Amazon Web Services account, the notification confirms that the settings for the permission set were updated.
-
Note
You can automate this process by using the Amazon API, an Amazon SDK, or the Amazon Command Line Interface(Amazon CLI). For more information, see:
-
The
CreatePermissionSet
orUpdatePermissionSet
actions in the IAM Identity Center API Reference -
The
create-permission-set
orupdate-permission-set
commands in the sso-adminsection of the Amazon CLI Command Reference.