AWS IAM Identity Center concepts - AWS Command Line Interface
What is IAM Identity CenterTermsHow IAM Identity Center worksAdditional resources

AWS IAM Identity Center concepts

This topic describes the key concepts of AWS IAM Identity Center (IAM Identity Center). IAM Identity Center is a cloud-based IAM service that simplifies user access management across multiple AWS accounts, applications, SDKs, and tools by integrating with existing identity providers (IdP). It enables secure single sign-on, permission management, and auditing through a centralized user portal, streamlining identity and access governance for organizations.

What is IAM Identity Center

IAM Identity Center is a cloud-based identity and access management (IAM) service that enables you to centrally manage access to multiple AWS accounts and business applications.

It provides a user portal where authorized users can access the AWS accounts and applications they've been granted permission to, using their existing corporate credentials. This allows organizations to enforce consistent security policies and streamline user access management.

Regardless of which IdP you use, IAM Identity Center abstracts those distinctions away. For example, you can connect Microsoft Azure AD as described in the blog article The Next Evolution in IAM Identity Center.

Note

For information on using bearer auth, which uses no account ID and role, see Setting up to use the AWS CLI with CodeCatalyst in the Amazon CodeCatalyst User Guide.

Terms

Common terms when using IAM Identity Center are as follows:

Identity Provider (IdP)

An identity management system such as IAM Identity Center, Microsoft Azure AD, Okta, or your own corporate directory service.

AWS IAM Identity Center

IAM Identity Center is the AWS owned IdP service. Formerly known as AWS Single Sign-On, SDKs and tools keep the sso API namespaces for backward compatibility. For more information, see IAM Identity Center rename in the AWS IAM Identity Center User Guide.

AWS access portal

Your unique IAM Identity Center URL to access your authorized AWS accounts, services, and resources.

Federation

The process of establishing trust between IAM Identity Center and an identity provider to enable single sign-on (SSO).

AWS accounts

The AWS accounts that you provide users access to through AWS IAM Identity Center.

Permission sets, AWS credentials, credentials, sigv4 credentials

Predefined collections of permissions that can be assigned to users or groups to grant access to AWS services.

Registration scopes, access scopes, scopes

Scopes are a mechanism in OAuth 2.0 to limit an application's access to a user's account. An application can request one or more scopes, and the access token issued to the application is limited to the scopes granted. For information on scopes, see OAuth 2.0 Access scopes in the IAM Identity Center User Guide.

Tokens, refresh token, access token

Tokens are temporary security credentials that are issued to you upon authentication. These tokens contain information about your identity and the permissions you've been granted.

When you access an AWS resource or application through the IAM Identity Center portal, your token is presented to AWS for authentication and authorization. This allows AWS to verify your identity and ensure you have the necessary permissions to perform your requested actions.

The authentication token is cached to disk under the ~/.aws/sso/cache directory with a JSON filename based on the session name.

Session

An IAM Identity Center session refers to the period of time that a user is authenticated and authorized to access AWS resources or applications. When a user signs in to the IAM Identity Center portal, a session is established, and the user's token is valid for a specified duration. For more information on setting session durations, see Set session duration in the AWS IAM Identity Center User Guide.

During the session, you can navigate between different AWS accounts and applications without having to re-authenticate, as long as their session remains active. When the session expires, sign in again to renew your access.

IAM Identity Center sessions help to provide a seamless user experience while also enforcing security best practices by limiting the validity of user access credentials.

How IAM Identity Center works

IAM Identity Center integrates with your organization's identity provider, such as IAM Identity Center, Microsoft Azure AD, or Okta. Users authenticate against this identity provider, and IAM Identity Center then maps those identities to the appropriate permissions and access within your AWS environment.

The following IAM Identity Center workflow assumes you have already configured your AWS CLI to use IAM Identity Center:

  1. In your preferred terminal, run the aws sso login command.

  2. Sign in to your AWS access portal to start a new session.

    • When you start a new session, you receive a refresh token and access token that is cached.

    • If you already have an active session, the existing session is reused and expires when the existing session expires.

  3. Based on the profile you've set up in your config file, IAM Identity Center assumes the appropriate permission sets, granting access to the relevant AWS accounts and applications.

  4. The AWS CLI, SDKs, and Tools use your assumed IAM role to make calls to AWS services such as creating Amazon S3 buckets until that session expires.

  5. The access token from IAM Identity Center is checked hourly and is automatically refreshed using the refresh token.

    • If the access token is expired, the SDK or tool uses the refresh token to get a new access token. These tokens' session durations are then compared, and if the refresh token is not expired IAM Identity Center provides a new access token.

    • If the refresh token has expired, then no new access tokens are provided and your session has ended.

  6. Sessions end after refresh tokens expire, or when you manually log out using the aws sso logout command. Cached credentials are removed. To continue accessing services using IAM Identity Center, you must start a new session using the the aws sso login command.

Additional resources

Additional resources are as follows.