What are the different user identities in IAM - AWS Identity and Access Management

What are the different user identities in IAM

The identities managed in AWS Identity and Access Management are IAM users, IAM roles, and IAM groups. These identities are in addition to your root user that was created along with your AWS account.

We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, provision additional users and grant them the permissions required to perform the necessary tasks. You can add users either by addding people to your IAM Identity Center directory, federating an external identity provider with either IAM Identity Center or IAM or creating least privilege IAM users.

After you have set up your users, you can give access to your AWS account to specific people and provide them permissions to access resources.

As a best practice, AWS recommends that you require human users to assume an IAM role to access AWS so that they're using temporary credentials. If you are managing identities in the IAM Identity Center directory or using federation with an identity provider you are following best practices.

IAM users and users in IAM Identity Center

IAM users aren't separate accounts; they're users within your account. Each user can have its own password for access to the AWS Management Console. You can also create an individual access key for each user so that the user can make programmatic requests to work with resources in your account.

IAM users and their access keys are granted long-term credentials to your AWS resources. The primary use for IAM users is to give workloads that can't use IAM roles the ability to make programmatic requests to AWS services using the API or CLI.

Note

For scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you update access keys when needed. For more information, see Updating access keys.

In contrast, users in AWS IAM Identity Center and their access keys are granted short-term credentials to your AWS resources. For centralized access management, we recommend that you use AWS IAM Identity Center (IAM Identity Center) to manage access to your accounts and permissions within those accounts. IAM Identity Center is automatically configured with an Identity Center directory as your default identity source where you can create users and groups, and assign their level of access to your AWS resources. For more information, see What is AWS IAM Identity Center in the AWS IAM Identity Center User Guide.

The main difference between these two types of users is that users in IAM Identity Center automatically assume an IAM role when they sign-in to AWS. IAM roles grant temporary credentials that are established each time the user signs-in to AWS.

Federating existing users

If the users in your organization already have a way to be authenticated, such as by signing in to your corporate network, you don't have to create separate IAM users or users in IAM Identity Center for them. Instead, you can federate those user identities into AWS using either IAM or AWS IAM Identity Center.

The following diagram shows how a user can get temporary AWS security credentials to access resources in your AWS account.

Users who are already authenticated elsewhere can be federated into AWS and assume an IAM role that gives them permissions to access specific resources.For more information about roles, see Roles terms and concepts.

Federation is particularly useful in these cases:

  • Your users already exist in a corporate directory.

    If your corporate directory is compatible with Security Assertion Markup Language 2.0 (SAML 2.0), you can configure your corporate directory to provide single-sign on (SSO) access to the AWS Management Console for your users. For more information, see Common scenarios for temporary credentials.

    If your corporate directory is not compatible with SAML 2.0, you can create an identity broker application to provide single-sign on (SSO) access to the AWS Management Console for your users. For more information, see Enabling custom identity broker access to the AWS console.

    If your corporate directory is Microsoft Active Directory, you can use AWS IAM Identity Center to connect a self-managed directory in Active Directory or a directory in AWS Directory Service to establish trust between your corporate directory and your AWS account.

    If you are using an external identity provider (IdP) such as Okta or Microsoft Entra to manage users, you can use AWS IAM Identity Center to establish trust between your IdP and your AWS account. For more information, see Connect to an external identity provider in the AWS IAM Identity Center User Guide.

  • Your users already have Internet identities.

    If you are creating a mobile app or web-based app that can let users identify themselves through an Internet identity provider like Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) compatible identity provider, the app can use federation to access AWS. For more information, see OIDC federation.

    Tip

    To use identity federation with Internet identity providers, we recommend you use Amazon Cognito.

Access control methods

Here are the ways you can control access to your AWS resources.

Type of user access Why would I use it? Where can I get more information?

Single sign-on access for human users, such as your workforce users, to AWS resources using IAM Identity Center

IAM Identity Center provides a central place that brings together administration of users and their access to AWS accounts and cloud applications.

You can set up an identity store within IAM Identity Center or you can configure federation with an existing identity provider (IdP). Granting your human users limited credentials to AWS resources as needed is recommended as a security best practice.

Users have an easier sign-in experience and you maintain control over their access to resources from a single system. IAM Identity Center supports multi-factor authentication (MFA) for additional account security.

For more information about setting up IAM Identity Center, see Getting Started in the AWS IAM Identity Center User Guide

For more information about using MFA in IAM Identity Center, see Multi-factor authentication in the AWS IAM Identity Center User Guide

Federated access for human users, such as your workforce users, to AWS services using IAM identity providers

IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0). After you create an IAM identity provider, you must create one or more IAM roles that can be dynamically assigned to a federated user.

For more information about IAM identity providers and federation, see Identity providers and federation.

Cross-account access between AWS accounts

You want to share access to certain AWS resources with users in other AWS accounts.

Roles are the primary way to grant cross-account access. However, some AWS services allow you to attach a policy directly to a resource (instead of using a role as a proxy). These are called resource-based policies.

For more information about IAM roles, see IAM roles.

For more information about service-linked roles, see Using service-linked roles.

For information about which services support using service-linked roles, see AWS services that work with IAM. Look for the services that have Yes in the Service-Linked Role column. To view the service-linked role documentation for that service select the link associated with the Yes in that column.

Long-term credentials for designated IAM users in your AWS account

You might have specific use cases that require long-term credentials with IAM users in AWS. You can use IAM to create these IAM users in your AWS account, and use IAM to manage their permissions. Some of the use cases include the following:

  • Workloads that can't use IAM roles

  • Third-party AWS clients that require programmatic access through access keys

  • Service-specific credentials for AWS CodeCommit or Amazon Keyspaces

  • AWS IAM Identity Center is not available for your account and you have no other identity provider

As a best practice in scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you update access keys when needed. For more information, see Updating access keys.

For more information about setting up an IAM user, see Creating an IAM user in your AWS account.

For more information about IAM user access keys, see Managing access keys for IAM users.

For more information about service-specific credentials for AWS CodeCommit or Amazon Keyspaces, see Using IAM with CodeCommit: Git credentials, SSH keys, and AWS access keys and Using IAM with Amazon Keyspaces (for Apache Cassandra).

Programmatic access

Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS:

  • If you manage identities in IAM Identity Center, the AWS APIs require a profile, and the AWS Command Line Interface requires a profile or an environment variable.

  • If you have IAM users, the AWS APIs and the AWS Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.

To grant users programmatic access, choose one of the following options.

Which user needs programmatic access? To By

Workforce identity

(Users managed in IAM Identity Center)

Use short-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs).

Following the instructions for the interface that you want to use:

IAM Use short-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs). Following the instructions in Using temporary credentials with AWS resources.
IAM Use long-term credentials to sign programmatic requests to the AWS CLI or AWS APIs (directly or by using the AWS SDKs).

(Not recommended)

Following the instructions in Managing access keys for IAM users.