How to Get Programmatic Access to AWS Using AWS Identity Center

Managing access to multiple AWS accounts can be challenging at times. The primary way to access AWS used to be IAM users. These users had the ability (if granted) to access the AWS console using a username and password and programmatically using access keys. Natively, an individual IAM user only has access to the account it was created in unless that user can use cross-account roles. Cross-account roles are IAM roles with a special trust policy that allows users from a specified account to assume the role in the account containing that particular cross-account role. Cross-account roles are a crucial means of access in AWS however, they too can be challenging to use when you need to access multiple accounts.

AWS best practices encourage users to create purpose-built AWS accounts and to centralize them under an AWS organization. This could mean that users/companies could have hundreds or even thousands of individual AWS accounts. To simplify the burden of user access within an organization, AWS created IAM Identity Center. IAM Identity Center, which used to be called AWS SSO, is a service configured on an AWS organization’s management account. Identity Center is an SSO service that allows for central management of users and permission across the entire organization. Users can be added to Identity Center by adding them to it locally or by integrating it with Active Directory. Identity Center allows users to be granted access to AWS accounts in the organization or even integrated with third-party applications.

Once users are assigned access to AWS accounts in Identity Center, they can access accounts through either the management console or programmatically. Access to these accounts is granted through STS sessions and will have an expiration time set by the Identity Center admin or by default at one hour. There are two ways for users to use Identity Center to get programmatic access to assigned AWS accounts, temporary keys provided in the Identity Center console or an AWS CLI feature that allows users to log in to Identity Center through their terminal.

Temporary credentials using the Identity Center console

1. Log in to your Identity Center portal (Each URL is different for each AWS Organization)
2. Find the item in the list called AWS Account or search for the AWS account you wish to access
3. In the list of AWS accounts, select the account you wish to access
4. Once the desired account has been selected, you will be presented with a list of roles/permission sets that you have been granted access. Click the Command line or programmatic access link for the desired role.
5. A pop-up will provide temporary credentials for that account using the selected role. It specifies options for using these credentials with either environment variables, instructions to add them to your AWS credentials file, or the individual values that can be used with your application. There are links for each option that provide additional information on how to use and configure that method. One of the most popular methods for a user’s local machine would be the option to add the values to your AWS credentials file.
6. Once you have chosen which option you want to use and completed the steps that it outlines, you will now have programmatic access to AWS.

If you choose to use the profile option with the AWS credentials file, if you name your profile ‘default’ the aws CLI will assume that the specified profile is the default profile, and you will not need to provide the profile name in your CLI or application when using it.

AWS CLI log-in for Identity Center

You must have the AWS CLI v2 or higher installed on your local machine for the following workflow.

1. In the terminal on your local machine, run the following command to start the SSO login CLI wizard.

    aws configure sso
   

2. When prompted for the SSO start URL, provide the URL of your Identity Center portal.
3. The following prompt will ask for the SSO region. This is the AWS region the Identity Center was set up in the AWS management account. Please ask your Identity Center admin if you are unsure which region that is.
4. After the SSO region has been entered, a web browser should launch, take you to your Identity Center portal and ask you to log in. Optionally, if you cannot launch a web browser on your local machine, the CLI will give you a URL with a code that you can use to log in on another machine and authenticate the login. After you log in, or if you were already logged into Identity Center, you will be taken to an authorization prompt where you are asked to Allow the sign-in of the CLI request. Click Allow
5. After you click Allow for the CLI access request, that webpage can be closed. Go back to your terminal, and you will if you have access to multiple AWS accounts. You will be given a list of accounts to select which account you want to access. If you only have one account, the CLI should automatically select that account for you.
6. Next, you will be prompted for which role you want to access that account with. If you have multiple roles, you will be given the option to select which account you want to use; otherwise, if you only have one role, it will be automatically selected.
7. Next, you will be prompted for the default CLI region. This AWS region will be used for CLI requests if the region flag is not provided. The default region is ‘us-east-1’
8. The following prompt will ask for the default CLI output. The AWS CLI output has a few different options but ‘json’ is the most common.
9. The following prompt is the CLI profile name, this is where you can provide a profile name to refer to this connection in your application or the AWS CLI. If you provide the profile name of ‘default’ it will set this connection as the default profile, and you will not need to provide the profile flag in your AWS CLI commands.

10. After the profile name has been entered, the wizard will close, and you should now have access to the selected AWS account through the established Identity Center connection. If you’d like to check that you’re connection is correct, and if you have the appropriate permissions, you can run the following command to get the AWS account number of the account you are connected to.

    aws sts get-caller-identity --profile <profileName>
    

Using the AWS CLI log-in option for Identity Center can be a simpler way to use the AWS CLI and within your applications locally. There are some additional features in the AWS CLI for Identity Center than are worth looking into if you found this helpful. For more information on this, please see the AWS CLI documentation.