Assign AWS account access for an IAM Identity Center user - AWS IAM Identity Center

Assign AWS account access for an IAM Identity Center user

To set up AWS account access for an IAM Identity Center user, you must assign the user to the AWS account and permission set.

  1. Do either of the following to sign in to the AWS Management Console.

    • New to AWS (root user) – Sign in as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

    • Already using AWS (IAM credentials) – Sign in using your IAM credentials with administrative permissions.

  2. Open the IAM Identity Center console.

  3. In the navigation pane, under Multi-account permissions, choose AWS accounts.

  4. On the AWS accounts page, a tree view list of your organization displays. Select the checkbox next to the AWS account to which you want to assign access. If you are setting up administrative access for IAM Identity Center, select the checkbox next to the management account .

  5. Choose Assign users or groups.

  6. For Step 1: Select users and groups, on the Assign users and groups to "AWS account name" page, do the following:

    1. On the Users tab, select the user to whom you want to grant administrative permissions.

      To filter the results, start typing the name of the user that you want in the search box.

    2. After you confirm that the correct user is selected, choose Next.

  7. For Step 2: Select permission sets, on the Assign permission sets to "AWS account name" page, under Permission sets, select a permission set to define the level of access that users and groups have to this AWS account.

  8. Choose Next.

  9. For Step 3: Review and Submit, on the Review and submit assignments to "AWS account name" page, do the following:

    1. Review the selected user and permission set.

    2. After you confirm that the correct user is assigned to the permission set, choose Submit.


      The user assignment process might take a few minutes to complete. Leave this page open until the process successfully completes.

  10. If either of the following applies, follow the steps in Prompt users for MFA to enable MFA for IAM Identity Center:

    • You're using the default Identity Center directory as your identity source.

    • You're using an AWS Managed Microsoft AD directory or a self-managed directory in Active Directory as your identity source and you're not using RADIUS MFA with AWS Directory Service.


    If you're using an external identity provider, note that the external IdP, not IAM Identity Center, manages MFA settings. MFA in IAM Identity Center is not supported for use by external IdPs.

When you set up account access for the administrative user, IAM Identity Center creates a corresponding IAM role. This role, which is controlled by IAM Identity Center, is created in the relevant AWS account, and the policies specified in the permission set are attached to the role.