Simplifying AWS IAM Identity Center Role Management
As an AWS Community Builder, I'm always looking for ways to streamline cloud management tasks. Today, I'm excited to share a tool I've developed to make AWS IAM Identity Center (formerly AWS SSO) role management easier and more efficient: the AWS IAM Identity Center Access Role Portal:
https://iamidentitycenterroles.us-east-1.com/
(I am the owner of the domain us-east-1.com, and it's not directly affiliated with AWS.)
What is AWS IAM Identity Center?
As per the official docs,
AWS IAM Identity Center is the recommended AWS service for managing human user access to AWS resources. It is a single place where you can assign your workforce users, also known as workforce identities, consistent access to multiple AWS accounts and applications.
It's easier to manage than using traditional IAM Users for accessing AWS Console/CLI, where you have to configure the users/role manually in every AWS account that you own. With AWS IAM Identity Center, you can configure/delegate the same role(s) into multiple Organization AWS Accounts in one go.
The Challenge
If you do need to access multiple AWS accounts via different IAM roles in your day to day job, switching to different roles across multiple AWS accounts can be a troublesome task, especially for organizations with numerous teams and projects.
One traditional way would be to use the IAM "Switch Role" feature. It requires you to create an AWS IAM user in one AWS account, then create the IAM roles in each of the "target" AWS accounts where you wish to access manually one by one.
Thankfully, with AWS IAM Identity Center, you can access the roles from different AWS accounts within the same AWS Organization in a centralized way. Users can switch between different AWS Account IAM roles effectively.
Further if you work for multiple organizations (say you are a consultant or your company has several subsidiaries), you may need to access different AWS Organizations within a single day. In this case, you have to navigate between multiple AWS Identity Center access portals in order to get access to various AWS resources.
Thanks to AWS, there is a new Shortcut feature
Thankfully, in 2024 April, AWS also released a new shortcut feature) within AWS IAM Identity Center:
With the simple form, you can generate a deep URL link that once accessed, authenticates you to the AWS IAM Identity Center organization, assumes the IAM access role, and optionally redirects you back to a page within AWS Console.
For example, you may look at this sample deep linking URL
https://gabrielkoo.awsapps.com/start/#/console?
account_id=123456789012&
role_name=DeepracerRole&
destination=https%3A%2F%2Fus-east-1.console.aws.amazon.com%2Fdeepracer%2Fhome%3Fregion%3Dus-east-1%23models
Which when URL-decoded, it becomes:
https://gabrielkoo.awsapps.com/start/#/console?
account_id=123456789012&
role_name=DeepracerRole&
destination=https://us-east-1.console.aws.amazon.com/deepracer/home?region=us-east-1#models
Generalizing it, it becomes:
https://<IDENTITY_CENTER_ALIAS>.awsapps.com/start/#/console?
account_id=<AWS_ACCOUNT_ID>&
role_name=<SSO_ACCESS_ROLE>&
destination=<AWS_CONSOLE_CALLBACK_URL>
The Solution
Based on the problem above, I created the AWS IAM Identity Center Access Role Portal - it is a lightweight, client-side web application that provides a unified interface for managing AWS IAM Identity Center's access roles - and most importantly it supports multiple AWS Organizations.
Let's take a closer look at its features and benefits.
Easy Role Management
The portal presents all your roles in a clear, tabular format:
From this single view, you can:
- See all roles across different Identity Center aliases and AWS accounts
- Quickly access the AWS console for any role
- Edit role details
- Clone a role record to a new record
- Delete roles when they're no longer needed
- Export and import as URLs: this is particular useful if you want to share a list of deep links to your teammates!
Streamlined Role Creation
Adding a new role is as simple as clicking a button and filling out the form:
The form even allows you to paste a shortcut link (with the new feature) generated from AWS IAM Identity Center to pre-fill values, saving you time and reducing the chance of errors.
So when does it help?
When integrated with other AWS Console's pages that offers deep linking, you would just can't imagine all the possibilities that it might unblock.
For example, you have an AWS System Manager managed EC2 instance that serves as the company VPN.
Your team grows and the VPN instance often suffers from memory leak - and you know the best way is to reboot it. You have been running a Systems Manager runbook AWS-RestartEC2Instance for a while. One day you reserves an urgent request to fix the VPN as one of your business user is doing an external demo with an internal site that requires VPN connectivity.
Every second for the "reboot fix" matters.
Instead of these long steps...
- Log into AWS IAM Identity Center
- Pick the right AWS Account
- Pick the Access Role
- Get into AWS Console
- Navigate to EC2 Console
- Pick your instance
- Click "Restart"
You can just
- Click a new deep linked URL
- Log into AWS IAM Identity Center
- Execute a Systems Manager automation document with all parameters pre-filled:
https://us-east-1.console.aws.amazon.com/systems-manager/automation/execute/AWS-RestartEC2Instance?
region=us-east-1#InstanceId=<INSTANCE_ID>&AutomationAssumeRole=<ARN_OF_IAM_ROLE>
It's much more handy than the initial 7-step way!
Security First
As an AWS Community Builder, I understand the critical importance of security, especially with this entry point of AWS Console. The IAM Identity Center Access Role Portal has been designed with security as a top priority:
Client-Side Only: The entire application runs in the browser. There's no server-side component, which means there's no additional infrastructure to secure and maintain.
No Backend Data Storage: The portal doesn't store any sensitive information. It's a pure interface tool that interacts directly with your AWS environment. Data is stored in your browser's local storage only.
Leverages Existing AWS Security: By using AWS IAM Identity Center, the tool inherits AWS's robust security measures, such as multi-factor authentication and fine-grained permissions if you use AWS Identity Center's managed user directory.
Easy Deployment
Because the Access Role Portal is a static web application, deployment is straightforward. You can just use my version as-is, or download the static files from my GitHub repository.
Onboard your colleagues much faster
With my tools' import & export functions, AWS account admins can prepare a list deep linked URLs of different accounts and console pages, export it and share to your organization's new joiners. Now they can get access to various team resources much easier, which just copy pasting:
Then, you no longer need to team your new colleague every time on "how to access the CloudWatch Log group for that Lambda function?" - You can just share them the exported URL and the will have the book marks imported in their portal already.
Try this sample exported link in an incognito tab!
Conclusion
The AWS IAM Identity Center Access Role Portal demonstrates how simple tools can significantly improve our cloud management workflows. By providing a clear, unified interface for role management, it saves time, reduces errors, and enhances security.
As an AWS Community Builder, I'm committed to sharing knowledge and tools that help the community. I hope this portal will be useful for other AWS administrators dealing with multi-account environments.
The code for this project is open-source and available on GitHub https://github.com/gabrielkoo/aws-iam-identity-center-shortcut-portal. I welcome contributions and feedback from the community to make this tool even better.
Remember, effective IAM management is crucial for maintaining a secure and efficient AWS environment. Tools like this can help, but they should always be used in conjunction with AWS best practices and regular security audits.
Happy cloud computing!
Top comments (1)
Did you try and find any way to use this first role to then assume a second distinct role? (potentially one that's not within the organization) like deep-linking to the switch role page?