Delegate who can assign single sign-on access to users and groups in the management account
Assigning single sign-on access to the management account using the IAM Identity Center console is a privileged action. By default, only an AWS account root user or a user who has the AWSSSOMasterAccountAdministrator and IAMFullAccess AWS managed policies attached, can assign single sign-on access to the management account. The AWSSSOMasterAccountAdministrator and IAMFullAccess policies manage single sign-on access to the management account within an AWS Organizations organization.
Use the following steps to delegate permissions to manage single sign-on access to users and groups in your directory.
To grant permissions to manage single sign-on access to users and groups in your directory
-
Sign in to the IAM Identity Center console as a root user of the management account or with another user who has administrator permissions to the management account.
-
Follow the steps in Create a permission set to create a permission set, and then do the following:
-
On the Create new permission set page, select the Create a custom permission set check box, and then choose Next: Details.
-
On the Create new permission set page, specify a name for the custom permission set and optionally, a description. If required, modify the session duration and specify a relay state URL.
Note
For the relay state URL, you must specify a URL that is in the AWS Management Console. For example:
https://console.aws.amazon.com/ec2/
For more information, see Set relay state for quick access to the AWS Management Console.
-
Under What policies do you want to include in your permission set?, select the Attach AWS managed policies check box.
-
In the list of IAM policies, choose both the AWSSSOMasterAccountAdministrator and IAMFullAccess AWS managed policies. These policies grant permissions to any user and groups who are assigned access to this permission set in the future.
-
Choose Next: Tags.
-
Under Add tags (optional), specify values for Key and Value (optional), and then choose Next: Review. For more information about tags, see Tagging AWS IAM Identity Center resources.
-
Review the selections you made, and then choose Create.
-
-
Follow the steps in Assign user access to AWS accounts to assign the appropriate users and groups to the permission set that you just created.
-
Communicate the following to the assigned users: When they sign in to the AWS access portal and choose the Accounts tab, they must choose the appropriate role name to be authenticated with the permissions that you just delegated.