AWS authentication through IAM Identity Center (formerly AWS SSO) beats traditional IAM access keys. Here’s why and how to set it up.
Why Use Identity Center
IAM Identity Center offers several benefits over traditional IAM access keys:
- Temporary credentials: SSO tokens expire automatically, reducing risk if compromised
- No long-lived secrets: IAM access keys can only be downloaded once as a
.csvfile at creation—these files end up in Downloads folders, Slack messages, or repos - Centralized access: One login grants access to all AWS accounts you’re authorized for (dev, staging, prod)—without SSO you’d need separate IAM credentials per account
- Audit trail: All access logged through Identity Center
Key Concepts
Before diving in, understand these three concepts:
- User: A person who needs AWS access (e.g.,
alice@company.com). Lives in Identity Center, not in any AWS account. - Account: An isolated AWS environment with its own resources, billing, and IAM
policies (e.g.,
dev,staging,prod). Organizations typically have multiple accounts. - Permission Set: A reusable bundle of IAM policies defining what actions are
allowed (e.g.,
AdministratorAccess,ReadOnlyAccess).
The relationship:
┌─────────────────────────────────────────────────────────────┐
│ IAM Identity Center │
├─────────────────────────────────────────────────────────────┤
│ │
│ User: alice@company.com │
│ │ │
│ ├──► dev-account ──► AdministratorAccess │
│ │ │
│ ├──► staging-account ──► PowerUserAccess │
│ │ │
│ └──► prod-account ──► ReadOnlyAccess │
│ │
└─────────────────────────────────────────────────────────────┘
One user can access multiple accounts with different permission levels in each.
Setting Up Identity Center (Admin)
Before developers can use SSO, an admin must configure Identity Center:
-
Enable Identity Center: Go to IAM Identity Center in the AWS Console—it’s off by default.
-
Create users: Add users directly in Identity Center.
-
Create permission sets: AWS provides predefined sets like
AdministratorAccess,PowerUserAccess,ReadOnlyAccess, or you can create custom ones. -
Assign users to accounts: Link users to accounts with specific permission sets.
The admin gives the user a portal URL (e.g., https://d-xxxxxxxxxx.awsapps.com/start).
Setting Up AWS CLI with SSO (Developer)
Once granted access, configure the AWS CLI to use SSO.
One-time setup:
-
Install the AWS CLI:
brew install awscli # or mise use -g aws-cli -
Configure SSO (the admin provides the start URL):
aws configure ssoFollow the prompts:
SSO session name: my-session SSO start URL: https://d-xxxxxxxxxx.awsapps.com/start # from your admin SSO region: us-east-1 SSO registration scopes: sso:account:accessThis opens a browser for authentication. After approval, select your account and role. The CLI saves a named profile to
~/.aws/config.
Daily routine:
SSO tokens expire after 8-12 hours. Each day (or when you see “token expired” errors):
aws sso login --profile my-profileThis opens a browser, you approve, and you’re authenticated. Then use --profile with
any AWS command:
aws s3 ls --profile my-profile
aws ecr get-login-password --profile my-profile | docker login ...Identity Center vs IAM Users
SSO users live in IAM Identity Center, which is completely separate from traditional IAM users. To see who’s authorized:
- Sign in with root credentials
- Navigate to IAM Identity Center (not IAM)
- Check the Users section
The direct URL if the left nav isn’t showing:
https://us-east-1.console.aws.amazon.com/singlesignon/home?region=us-east-1#!/users
Key Takeaways
- AWS SSO users are in IAM Identity Center, separate from IAM users
- Temporary credentials beat long-lived access keys
- One SSO login can grant access to multiple AWS accounts with different permissions