How do I use IAM Identity Center permission sets?

3 minute read
0

I want to use AWS IAM Identity Center (successor to AWS Single Sign-On) permission sets to provide users and groups access to an AWS account.

Resolution

Use the IAM Identity Center to create a permission set for a user or group. Then, assign users and groups in the account access to IAM Identity Center. Finally, confirm in the user portal that the users and groups have the correct permissions.

Note: In the following example, a federated user receives the ViewOnlyAccess permission set.

Create a ViewOnlyAccess permission set

  1. Open the IAM Identity Center console.
  2. In the navigation pane, under Multi-Account permissions, choose Permission sets.
  3. Choose Create permission set.
  4. On the Select permission set type page, under Permission set type, choose Predefined permission set.
  5. Under Policy for predefined permission set, choose ViewOnlyAccess, and then choose Next.
  6. On the Specify permission set details page, choose Next.
  7. On the Review and create screen, choose Create. The console displays the following message: "The permission set "ViewOnlyAccess" was successfully created."

Assign permission sets to AWS accounts

  1. Open the IAM Identity Center console.
  2. In the navigation pane, under Multi-account permissions, choose AWS accounts
  3. On the AWS accounts page, select one or more AWS accounts that you want to assign single sign-on access to.
  4. Choose Assign users or groups.
  5. On the Assign users and groups to AWS-account-name, for Selected users and groups, choose the users that you want to create the permission set for. Then, choose Next.
  6. On the Review and submit assignments to AWS-account-name page, for Review and submit, choose Submit. The console displays the following message: "We reprovisioned your AWS account successfully and applied the updated permission set to the account."

Verify that the user has ViewOnlyAccess permissions

  1. Open the IAM Identity Center console.
  2. In the navigation pane, choose Dashboard.
  3. On the Settings page, under Summary, choose AWS access portal URL.
  4. Use your IAM Identity Center user name and password to log in to the access portal.
  5. Choose AWS Account.
  6. Choose the Account dropdown to view the ViewOnlyAcccess permissions.
  7. For the ViewOnlyAccess permissions, choose Management console.

Remove or delete permission sets

You can remove or delete a permission set from an AWS account. Before you delete a permission set, you must remove it from all accounts. For more information, see Delete permission sets.

Related information

Single sign-on access to AWS accounts

Create a permission set

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago
2 Comments

None of this worked. The link takes me to the IAM identity Center page for Ohio, which tells me it is only available in Virginia. "Assign users or groups." does not appear. And Groups has no permissions settings. -Frank

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago