Workforce Identity with AWS IAM Identity Center
Learn how IAM Identity Center enables single sign-on for workforce users across multiple AWS accounts, including permission sets, the AWS access portal, and directory integration.
By the end of this lesson, you will be able to:
- Explain what IAM Identity Center does and when to use it
- Describe permission sets and how they become IAM roles in target accounts
- Contrast Identity Center with IAM users and Cognito
- Identify the three identity types: workforce, app users, and enterprise directory
Who is this identity for?
AWS offers multiple identity services. The key question is: who needs access and to what?
| Identity Type | Use Case | AWS Service |
|---|---|---|
| Workforce | Employees accessing AWS accounts and business apps | IAM Identity Center |
| App Users | Customers logging into your mobile or web application | Amazon Cognito |
| Enterprise Directory | Extending existing Active Directory to AWS | AWS Directory Service |
This lesson focuses on workforce identity — the employees, contractors, and partners who need access to your AWS accounts.
What is IAM Identity Center?
IAM Identity Center is AWS's workforce single sign-on (SSO) solution. It connects your identity provider to multiple AWS accounts and applications through a single portal.
Instead of creating separate IAM users in every AWS account, your workforce signs in once and gains access to all assigned accounts and applications.
Permission sets are templates that become IAM roles in each target account.
Architecture overview
Core concepts
Permission Set
A template containing IAM policies that defines what actions users can perform. When assigned to an account, it becomes an actual IAM role.
Example: AdminAccess permission set contains the AWS managed AdministratorAccess policy
Account Assignment
The link between a user or group, a permission set, and an AWS account. Assignments determine who can access what in which accounts.
Example: Assign the Developers group with PowerUserAccess to the Development account
AWS Access Portal
The single URL where workforce users sign in to access their assigned AWS accounts and applications.
Example: https://my-org.awsapps.com/start
SCIM Provisioning
System for Cross-domain Identity Management — automatically syncs users and groups from your identity provider to Identity Center.
Example: When a new employee is added to Azure AD, they appear in Identity Center automatically
IAM Users vs Identity Center
Comparison
When to choose IAM Identity Center over traditional IAM users
Directory Service: The enterprise option
AWS Directory Service provides managed Active Directory for organizations with existing Microsoft infrastructure.
Managed Microsoft AD: AWS hosts and operates domain controllers across multiple Availability Zones. You get a full Active Directory without managing infrastructure.
AD Connector: A gateway that redirects authentication to your on-premises Active Directory without caching any directory data in AWS.
Note
Directory Service is for enterprises with existing Active Directory. Identity Center can connect to either Directory Service or external identity providers like Okta or Azure AD.
Practical walkthrough
Enabling Identity Center
- Open IAM Identity Center in the AWS Management Console
- Choose your identity source:
- Identity Center directory (built-in)
- Active Directory (AWS Directory Service)
- External identity provider (Okta, Azure AD, Google)
- Configure SCIM provisioning if using an external IdP
Creating permission sets
Permission sets are templates. You choose which AWS managed policies or custom policies they contain.
| Common Permission Set | Purpose |
|---|---|
| AdministratorAccess | Full access to the account |
| PowerUserAccess | Full access except IAM and Organizations management |
| ViewOnlyAccess | Read-only access for monitoring and auditing |
| Custom | Your custom policy bundle |
Assigning access
Account assignments link three things:
- Who: A user or group
- What: A permission set
- Where: An AWS account or entire OU
When you assign a permission set to an account, Identity Center creates an IAM role with the same name in that account.
Developer workflow
After configuration, developers use the AWS CLI with SSO:
aws configure sso
aws sso loginThe CLI opens a browser, the user signs in through the access portal, and the CLI receives temporary credentials valid for the session duration.
Common pitfalls
Warning
Conflating Identity Center with Cognito — Identity Center is for your workforce (employees). Cognito is for your application's users (customers). They solve different problems.
Warning
Permission sets need assignments — Creating a permission set does nothing until you assign it to accounts and users. The role only appears in target accounts after assignment.
Warning
SCIM token expiration — The SCIM token used to sync users from external IdPs expires periodically. Plan a rotation process to avoid lockouts.
Summary
- IAM Identity Center provides workforce single sign-on across multiple AWS accounts
- Permission sets are templates that become IAM roles in each assigned account
- Account assignments determine who can access what in which accounts
- AWS access portal is the single URL for workforce users to sign in
- SCIM provisioning keeps users and groups synchronized from external identity providers
- Directory Service is an alternative for organizations with existing Active Directory